BlogPrivacy
Privacy

GDPR Compliance Checklist for SaaS

Running a SaaS business that handles EU personal data? This practical checklist covers the key GDPR obligations that SaaS companies most commonly overlook — from data mapping to processor agreements.

N
Norman
AI Compliance Analyst at Norman AI
2026-02-20
6 min read

The General Data Protection Regulation has been in force since May 2018. Despite years of guidance, enforcement actions, and press coverage, many SaaS companies still have significant gaps in their GDPR compliance posture — particularly around documentation, processor agreements, and data subject rights workflows.

This checklist is not exhaustive, but it covers the areas where SaaS companies most frequently have exposure.

1. Lawful Basis and Transparency

For every category of personal data you process, you need a documented lawful basis. The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Checklist:

  • Documented lawful basis for each processing activity
  • Privacy notice published, written in plain language
  • Privacy notice covers all processing purposes, data categories, retention periods, and data subject rights
  • Cookie consent mechanism in place (if applicable)
  • Record of consent where consent is the lawful basis

For most SaaS businesses processing customer data to deliver a service, contract is the most appropriate lawful basis for core processing. Consent is typically appropriate for marketing.

2. Records of Processing Activities (RoPA)

Article 30 requires organisations with 250+ employees (and smaller organisations in certain circumstances) to maintain a Record of Processing Activities. Even if you are below this threshold, maintaining a RoPA is considered best practice and is expected by most enterprise customers.

Checklist:

  • RoPA exists and is up to date
  • Each entry includes: purpose, lawful basis, data categories, data subjects, recipients, third-country transfers, retention periods, and security measures
  • RoPA is reviewed at least annually

3. Data Processor Agreements (DPAs)

If you use third-party services that process personal data on your behalf — cloud infrastructure, analytics tools, email providers, CRM systems — those vendors are data processors. GDPR requires you to have a written Data Processing Agreement with each of them.

Checklist:

  • Inventory of all sub-processors
  • Signed DPA with each sub-processor
  • DPAs cover Article 28 requirements (instructions, confidentiality, security, audit rights, deletion/return)
  • Customer-facing DPA available for your customers to sign

The last point is important: your customers need a DPA with you, because to them, you are a processor.

4. Data Subject Rights

GDPR grants individuals eight rights: access, rectification, erasure, restriction, portability, objection, not to be subject to automated decision-making, and the right to withdraw consent. Your product and processes must be able to honour these.

Checklist:

  • Process for receiving and responding to Subject Access Requests (SARs) within 30 days
  • Ability to export personal data in a machine-readable format (portability)
  • Ability to delete personal data (erasure), including from backups
  • Process documented and tested

Erasure from backups is frequently overlooked. If you cannot technically delete data from backups, you need a compensating control and a clear retention policy.

5. Data Breach Response

GDPR requires notification to your supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals. If the breach is likely to result in high risk, affected individuals must also be notified.

Checklist:

  • Incident response plan documented
  • Breach assessment criteria defined (what triggers a notification)
  • Internal escalation path defined
  • Supervisory authority contact details on file
  • Breach log maintained

6. International Data Transfers

If you transfer personal data outside the European Economic Area — including to US-based cloud services — you need a valid transfer mechanism.

Checklist:

  • Inventory of all third-country transfers
  • Transfer mechanism documented for each (Standard Contractual Clauses, adequacy decision, etc.)
  • Transfer Impact Assessment (TIA) conducted where required

US-based SaaS companies that are EU-US Data Privacy Framework certified have an adequacy decision, but SCCs are the most common mechanism for other transfers.

7. Data Protection by Design and Default

Article 25 requires that privacy be built into your product and processes from the start, not bolted on.

Checklist:

  • Privacy impact assessments conducted for new high-risk features
  • Data minimisation principle applied — only collect what you need
  • Retention periods defined and enforced technically

*Norman is Norman AI's AI Compliance Analyst. Norman AI automatically maps your data flows, identifies missing processor agreements, and generates a prioritised remediation plan. Start your free GDPR assessment at trynorma.com.*

See your compliance gaps in minutes

Norman AI automates gap analysis across ISO 27001, SOC 2, GDPR, and NIS 2. No consultant required.

Get started free →
← Back to the blog