Checklists

GDPR Compliance Checklist for SaaS Apps

GDPR compliance is not a one-time task — it's an ongoing operational requirement. This checklist covers the key areas SaaS developers must address when processing EU personal data. Work through each section systematically; mark critical items before launch and revisit recommended items in your first sprint post-launch.

Progress0 / 25 complete (0%)

Legal Basis & Consent

0/5

  • Identify the legal basis for every data processing activity

    critical

    Document whether each processing activity relies on consent, legitimate interest, contract, legal obligation, vital interest, or public task.

  • Implement granular consent for non-essential cookies and tracking

    critical

    Consent banners must offer genuine choice — pre-checked boxes or bundled consent are non-compliant. Use a CMP like Cookiebot or Termly.

  • Store consent records with timestamps and version of the privacy policy shown

    critical

    You must be able to prove when a user consented and what they agreed to. Log consent events in your database.

  • Provide a simple, accessible mechanism to withdraw consent

    critical

    Withdrawing consent must be as easy as giving it. A visible link in every email footer and in account settings is the minimum.

  • Review legitimate interest claims with a balancing test

    recommended

    Legitimate interest requires a three-part test: purpose, necessity, and balancing. Document this for each LI claim.

Privacy Policy & Notices

0/5

  • Write a privacy policy in plain language — avoid legal boilerplate

    critical

    Explain clearly: what data you collect, why, how long you keep it, who you share it with, and how users can exercise their rights.

  • Include a Data Processing Agreement (DPA) with every third-party processor

    critical

    Any vendor that processes EU personal data on your behalf requires a DPA. Common examples: analytics tools, email providers, hosting.

  • Add a cookie policy listing every cookie and its purpose

    recommended

    Categorize cookies as necessary, functional, analytics, or marketing. List third-party cookies from embedded scripts.

  • Display a privacy notice at every data collection point

    recommended

    Forms, sign-up flows, and survey links should have a brief notice explaining what data is collected and the legal basis.

  • Date your privacy policy and notify users when it changes materially

    recommended

    Keep a changelog or version history. Email notice for material changes to terms is best practice (and sometimes required).

Data Subject Rights

0/5

  • Implement a self-serve data export feature (right to portability)

    critical

    Users can request a machine-readable export of their data. Build an export endpoint that outputs JSON or CSV — don't rely on manual processes.

  • Build an account deletion flow that purges all personal data (right to erasure)

    critical

    Deletion must propagate to all data stores: primary DB, caches, backups (on schedule), analytics, and third-party processors.

  • Create an internal process for handling data subject requests within 30 days

    critical

    GDPR mandates response within one month. Document who handles requests, how they verify identity, and how they fulfill each type.

  • Provide a contact method for data-related requests in your privacy policy

    critical

    An email address like privacy(a)yourdomain.com is sufficient. A web form with an SLA is better.

  • Test your deletion flow to confirm data is actually removed

    recommended

    Run test user creation and deletion. Check your database, analytics, and email provider to verify data is gone.

Data Security & Retention

0/5

  • Encrypt personal data at rest and in transit

    critical

    TLS for all connections. Encrypted database fields for sensitive data (PII, payment info). Document your encryption approach.

  • Define and enforce a data retention policy

    critical

    Data should not be kept longer than necessary. Set automatic deletion schedules for inactive accounts, logs, and analytics data.

  • Implement access controls and audit logs for who accesses personal data

    recommended

    Not every employee needs access to production user data. Role-based access controls and access logs demonstrate compliance.

  • Have a documented data breach notification procedure

    critical

    GDPR requires notification to the supervisory authority within 72 hours of discovering a breach. Know your local DPA and have a template ready.

  • Review and minimize the personal data you collect

    recommended

    Data minimization is a GDPR principle. Audit your sign-up forms and analytics — every unnecessary field is a liability.

Third-Party & International Transfers

0/5

  • Audit all third-party services for GDPR compliance and DPA availability

    critical

    Create a data processing register listing every vendor, the data shared, the legal basis, and where data is processed.

  • For US-based vendors, verify they rely on Standard Contractual Clauses (SCCs) or adequacy decisions

    recommended

    The EU-US Data Privacy Framework (2023) provides an adequacy decision. Verify vendor certification at dataprivacyframework.gov.

  • Replace non-compliant analytics with a privacy-first alternative

    recommended

    Google Analytics requires consent banners for most EU use cases. Plausible, Fathom, or Umami can work without consent banners in many cases.

  • Review your email provider's data processing location and DPA

    optional

    If your email provider processes data in the US, ensure SCCs are in place. Consider EU-based alternatives like Brevo or Mailcoach.

  • Document your data flows in a Record of Processing Activities (RoPA)

    recommended

    A RoPA is required for organizations of 250+ employees, but recommended for all. It's your audit evidence if the DPA investigates.