GDPR Compliance Checklist for SaaS Companies in 2026
If you're a DPO, CTO, or engineering lead at a SaaS company, GDPR compliance isn't optional — it's a business requirement that touches everything from your privacy policy wording to your database schema design. Fines under GDPR can reach 4% of global annual revenue, and enforcement has only accelerated since 2024.
Here's the 15-point checklist we've developed after analyzing hundreds of SaaS privacy policies with Nudam, updated for 2026 enforcement trends.
Legal basis — Priority: Critical
1. Document your lawful basis for every processing activity
GDPR requires one of six lawful bases for each type of data processing you perform. Many SaaS companies default to "legitimate interest" as a catch-all — but data protection authorities are increasingly challenging this. The Irish DPC's 2025 ruling against a major SaaS CRM specifically cited over-reliance on legitimate interest without proper balancing tests.
Action: Create a processing register that maps every data flow to a specific lawful basis. Review quarterly.
2. Implement granular consent mechanisms
Pre-checked consent boxes are illegal. Bundled consent ("agree to everything or leave") is illegal. Each distinct processing purpose needs its own separate, specific, informed, and freely given consent. Your cookie banner must offer genuine choices — not just an "Accept All" button with a tiny "Manage" link.
Action: Audit every consent touchpoint. Ensure each can be withdrawn as easily as it was given.
3. Maintain a Record of Processing Activities
Article 30 requires a detailed ROPA register covering: purpose of processing, categories of data subjects, data categories collected, recipients, international transfers, retention periods, and security measures. This is the first document regulators request during an investigation.
Action: Build your ROPA now if you don't have one. Tools like OneTrust or a well-maintained spreadsheet both work.
User rights — Priority: Critical
4. Build self-service data export
Article 20 grants users the right to data portability in a "structured, commonly used, machine-readable format." In practice, this means JSON or CSV export available directly in your product dashboard. Manual export processes that require engineering intervention don't scale and create significant compliance risk during high-volume SAR periods.
5. Implement right to erasure with cascade deletion
When a user requests deletion under Article 17, their data must be removed from your primary database, replicated databases, backup systems (within a reasonable timeframe), third-party integrations, analytics platforms, logging systems, and any ML training datasets. Document your cascade deletion process end-to-end.
6. Support right to rectification in the UI
Users must be able to correct inaccurate personal data. If your application has profile fields that cannot be edited by the user directly — like an auto-assigned company name or a system-generated email classification — that's a compliance gap you need to address.
7. Respond to Subject Access Requests within 30 days
Have a documented, tested SAR response process. Who receives the request? Who compiles the data? What format is the response delivered in? What verification steps confirm the requester's identity? Practice with internal test SARs before a real one arrives from a regulator or data subject.
Technical measures — Priority: High
8. Encrypt data at rest and in transit
TLS 1.3 for all data in transit. AES-256 for data at rest. Column-level or field-level encryption for particularly sensitive data categories like email addresses, IP addresses, and financial information. This is table stakes for any SaaS company in 2026 — lack of encryption is one of the most commonly cited GDPR violations.
9. Implement data minimization in your schema
Article 5(1)(c) requires that you only collect data that is "adequate, relevant, and limited to what is necessary." Audit your database schema quarterly — if a column hasn't been queried in 6 months, you probably don't need it. Drop it. Every unnecessary field is a liability during a breach.
10. Set automatic retention limits
Don't keep data indefinitely "just in case." Define specific TTLs for each data category. Implement automated deletion jobs. Log and monitor retention compliance metrics. "As long as necessary" in your privacy policy is not a valid retention schedule — regulators now expect concrete timeframes.
11. Privacy by design for new features
Article 25 requires data protection by design and by default. Every new feature should include a privacy impact assessment before development begins. Add a "Privacy Review" step to your sprint planning template or pull request checklist. It's far cheaper to design privacy in than to retrofit it.
Third parties — Priority: High
12. Audit all sub-processors quarterly
List every third-party service that touches user data — your database host, email provider, analytics platform, error monitoring, payment processor, CDN, and support tools. Verify each has a signed Data Processing Agreement. Review their compliance certifications (SOC 2, ISO 27001). Update this list every quarter and notify users of changes.
13. Ensure valid transfer mechanisms for non-EU data flows
After the Schrems II ruling, Standard Contractual Clauses (SCCs) are required for most data transfers to US-based processors. The EU-US Data Privacy Framework helps, but only covers US companies that have self-certified. For processors in other countries, you need to conduct Transfer Impact Assessments.
Organizational — Priority: Medium
14. Appoint a DPO if required
You need a Data Protection Officer if you process personal data at scale, systematically monitor individuals, or process special categories of data (health, biometric, etc.). The DPO must report independently to senior management and have adequate resources. Many SaaS companies above 50 employees will meet the threshold.
15. Test your breach notification procedure annually
Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Article 34 requires notifying affected individuals "without undue delay" if the breach poses a high risk. Run a tabletop breach simulation at least once a year. Time your team's response. Document the results.
Common pitfalls we see in SaaS policies
After analyzing hundreds of SaaS privacy policies, the five most common failures are: vague retention policies using "as long as necessary" instead of specific timeframes; missing sub-processor lists (required by Article 28); cookie consent banners that appear to offer choices but don't actually block tracking until consent is given; incomplete deletion cascades where user data is removed from the primary database but persists in analytics, logs, and backups; and outdated Data Processing Agreements signed before the 2021 SCC updates.
Want to check how your own privacy policy scores against GDPR requirements? Analyze your SaaS stack at nudam.app/scores — Nudam's AI evaluates the full text against GDPR, CCPA, and LGPD compliance criteria.
This article is informational and does not constitute legal advice. Consult a qualified DPO or privacy lawyer for guidance specific to your organization.