There is a question nearly every founder asks in the first fifteen minutes of a compliance call: "Does GDPR even apply to us?" Sometimes the subtext is anxiety. More often, it is optimism โ the hope that because the startup is Indian, American, or Singapore-registered, a European regulation simply does not reach them. It is a reasonable hope. It is also, in most cases, wrong. GDPR follows the data subject, not the company.
The Extraterritorial Reality
Article 3 of GDPR extends jurisdiction in two ways that matter to every startup:
- Establishment criterion: If your company has any form of establishment in the EU (an office, a subsidiary, even a single remote employee in France), GDPR applies to all your processing activities.
- Targeting criterion: If you offer goods or services to people in the EU/UK, or monitor their behaviour, GDPR applies. Your company can be registered in Pune or Palo Alto โ it makes no difference.
The targeting criterion is where most startups trip. "Offering goods or services" does not require an EU subsidiary. It requires intent โ and intent is inferred from behaviour:
- Your website accepts EUR or GBP as a payment currency
- Your pricing page has a country dropdown that includes EU member states
- You run paid advertising targeted at users in Germany, France, or the Netherlands
- Your copy is translated into German, French, Spanish, Italian, or Dutch
- Your SaaS platform is used by EU-based customers โ even through a US reseller
The modern SaaS stack is effectively a GDPR-scope machine. The moment you deploy Google Analytics, Meta Pixel, HubSpot forms, Intercom chat, or Stripe checkout โ and an EU visitor lands on your site โ you have started collecting personal data from an EU subject. There is no signup required. The data subject does not have to be a customer. They just have to visit. This is why the "we are not live in Europe yet" defence rarely works.
The 8-Question Self-Assessment
Work through these honestly. At the end, count your YES answers and check the scoring band.
Q1: Do you have any users, customers, or visitors from the EU or UK?
Check your analytics. Not your target market โ your actual traffic and signup data. GDPR has no minimum threshold. Ten EU users counts the same as ten million when it comes to jurisdiction.
Q2: Do you use third-party tools that process data from EU users?
If your CRM, email platform, analytics, payment processor, or cloud storage touches EU personal data โ you are responsible for the chain. You need a DPA with every one of them.
Q3: Do you process special category data?
Health data, biometric identifiers, genetic data, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership. If your product touches any โ even incidentally โ you almost certainly need a DPIA.
Q4: Do you transfer data outside the EU/UK?
If your servers are in AWS us-east-1, your analytics in Google Cloud Iowa, or your support tool has its primary database in the US โ you are transferring data internationally. You need Standard Contractual Clauses and likely a Transfer Impact Assessment.
Q5: Do you rely on consent as your primary legal basis?
If your answer is "yes, we have a checkbox on signup," you are probably non-compliant. Valid GDPR consent is specific, granular, informed, and freely withdrawable โ per processing purpose. Bundled consent is invalid.
Q6: Can you locate, export, and delete a specific user data within 30 days?
A Subject Access Request is not a legal event โ it is an engineering event. Can your team today pull every row relating to a single user across production, backups, analytics, CRM, support, and email?
Q7: Do you have a documented breach notification procedure?
72 hours from becoming aware of a breach, you must notify the supervisory authority. That clock does not wait for your legal review, your PR team, or your CEO returning from holiday.
Q8: Do your privacy notices reflect what you actually do?
Not what a template says. Not what you did at launch. What your product does today with user data. The Spotify fine (EUR 5M, 2023) was for having a privacy policy that did not meaningfully tell users how their data was used.
Your Score โ What It Means
| Score | Signal | Recommended Action |
|---|---|---|
| 0โ1 YES | Low Scope | Likely out of scope โ but verify annually. Circumstances change. |
| 2โ4 YES | In Scope | GDPR applies. Build baseline compliance now โ data mapping, DPAs, privacy notice. |
| 5โ6 YES | High Exposure | Material compliance gap. Prioritise a formal readiness assessment within 30 days. |
| 7โ8 YES | Critical | Regulatory risk is immediate. Engage a DPO or external GRC partner this quarter. |
Four Exemption Myths That Will Cost You
| The Myth | The Reality |
|---|---|
| "We are under 250 employees, so the SMB exemption applies." | There is no SMB exemption. Article 30 record-keeping relief for under 250 employees has narrow carve-outs and almost never applies for tech companies. |
| "We only process B2B data โ no consumers." | B2B contact data is still personal data. A named employee work email is GDPR-covered. This is the most-fined misconception. |
| "We do not sell user data, so we are fine." | GDPR is about processing, not selling. Collecting, storing, analysing, sharing with vendors โ each needs a legal basis. |
| "Our users accepted the terms โ that is consent." | Bundled consent inside T&Cs is invalid. Consent must be specific, granular, and separable from other terms. Article 7 is not negotiable. |
| "We are pre-revenue, regulators will not bother." | Complaints often originate from users, not regulators. A single disgruntled EU user filing with their DPA triggers an investigation regardless of your ARR. |
The 30-Day Action Plan
Week 1: Discover
- Map your data flows. List every place personal data enters, lives, and exits your product โ production DB, warehouse, analytics, email platform, CRM, support, backups.
- Inventory your subprocessors. Every third-party tool that touches personal data. Check each for a publicly available DPA.
- Identify your data categories. Flag anything that qualifies as special category.
Week 2: Document
- Write or rewrite your privacy notice to reflect actual data flows โ not template language.
- Document a legal basis for each processing activity. Default to contract necessity or legitimate interests where defensible.
- Sign DPAs with every subprocessor. Where the vendor does not offer one, flag for replacement.
Week 3: Operationalise
- Build an in-product path for user rights โ export, rectification, deletion. Not a support-email-only workflow.
- Write a 72-hour breach notification playbook. Name the on-call owner. Test with a tabletop exercise.
- Implement a retention schedule with technical enforcement โ automated deletion, not policy on paper.
Week 4: Verify
- Run a tabletop SAR drill. Pick a real user. Can you produce their full data package in under a week?
- Commission an independent assessment โ formal gap analysis or continuous GRC platform.
- Set a review cadence. GDPR posture drifts every time you add a vendor or a feature.
Startups that treat GDPR as an engineering problem rather than a legal one close enterprise deals meaningfully faster. The same controls that satisfy a regulator are the first questions a Fortune 500 procurement team asks. For the full comparison of GDPR vs India DPDP Act, read our GDPR vs DPDP Act guide.
Frequently Asked Questions
Yes. GDPR applies based on where your users are located, not where your company is incorporated. If you offer goods or services to EU/UK residents or monitor their behaviour (analytics, cookies), you are in scope โ regardless of your company registration, server location, or revenue.
No. There is no SMB exemption. Article 30 offers minor record-keeping relief for organisations with fewer than 250 employees, but the carve-out is narrow and almost never applies in practice for technology companies processing personal data regularly.
Yes. GDPR has no minimum threshold for the number of EU data subjects. In principle, even one EU user brings you into scope. The practical enforcement risk scales with volume and severity โ but the legal obligation exists from the first EU data subject.
No. B2B contact data is still personal data under GDPR. A named employee work email (e.g. john@company.eu) identifies a specific natural person and is fully covered. This is one of the most commonly fined misconceptions in GDPR enforcement.
A score of 7-8 indicates critical regulatory risk. You likely have material gaps across multiple GDPR obligations โ data flows, legal basis, vendor agreements, user rights, and breach notification. The recommended action is to engage a Data Protection Officer or external GRC partner within the current quarter to begin a formal readiness programme.