GDPR Compliance

GDPR (General Data Protection Regulation) is the EU's comprehensive privacy regulation enacted in 2018. It establishes data protection rights for EU residents and applies to any company processing their personal data regardless of where the company is based. Non-compliance risks fines up to 4% of global annual revenue (or €20M, whichever is greater) and other regulatory enforcement. Compliance requires documented data practices, user consent mechanisms, data subject rights handling (access, deletion, portability), data breach notification procedures (72-hour to supervisory authority), and other operational requirements. It's the regulation that fundamentally changed how companies globally handle personal data.

The key requirements:

Lawful basis for processing:

• Consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Must document which basis applies to each processing activity.

Data subject rights:

• Access (knowing what data is held).
• Rectification (correcting errors).
• Erasure ("right to be forgotten").
• Data portability (taking data elsewhere).
• Restriction of processing.
• Objection to processing.

Consent requirements (when consent is legal basis):

• Clear, specific, informed, unambiguous.
• Easy to withdraw.
• Documented.

Data Processing Records:

• Documentation of what data, why, how long, who has access.
• Article 30 records (required for most companies).

Data breach notification:

• 72-hour notification to supervisory authority if breach likely affects rights.
• Notification to affected individuals if high risk.

Data Protection Officer (DPO):

• Required for some processors (those processing large-scale special category data).
• Often required for healthcare, financial services.

Privacy by design:

• Privacy considered in product design from beginning.
• Data minimization principle.

International transfers:

• Standard Contractual Clauses (SCCs) for transfers outside EU.
• Adequacy decisions (UK has one; US has framework now).

Who must comply:

EU-based companies: directly subject.

Non-EU companies processing EU data: subject if:

• Offering goods/services to EU residents.
• Monitoring EU resident behavior.

Most US companies with any EU users: effectively subject.

Common compliance approaches:

Privacy policy: comprehensive disclosure.

Cookie consent management: tools like OneTrust, Cookiebot, Termly.

Data processing inventory: documentation of all data processing.

Vendor management: DPAs with processors.

Data subject request handling: process for handling user requests.

Breach response plan: documented procedures.

What founders get wrong: Assuming GDPR doesn't apply because company is US-based, then facing enforcement when EU users are involved. The right discipline: GDPR applies to any company processing EU data; treat compliance seriously; use compliance tools.

Related: Privacy Policy · Data Processing Agreement · SOC 2 Compliance · Terms of Service · International Equity Grants

FAQ

What is GDPR compliance?
General Data Protection Regulation: the EU's comprehensive privacy regulation establishing data protection rights for EU residents. Applies to any company processing EU residents' personal data regardless of company location.

Does GDPR apply to US companies?
Yes, if the company processes EU residents' data (offers goods/services to EU residents or monitors EU resident behavior). Most US companies with any EU users are effectively subject to GDPR.

What's required for GDPR compliance?
Lawful basis documented for each processing activity, data subject rights handling (access, deletion, portability), consent mechanisms (when applicable), data processing records (Article 30), breach notification (72-hour to supervisory authority), and sometimes Data Protection Officer. Plus DPAs with vendors and SCCs for international transfers.