Skip to main content

GeraCompliance AI utility · GDPR for startups

GDPR checklist for startups

GDPR applies to any startup that processes personal data of EU residents — regardless of where the startup is based. This checklist covers the 8 minimum requirements every early-stage startup needs before launch. GeraCompliance can complete your GDPR gap assessment in a fixed-fee sprint.

The 8-item GDPR startup checklist

1

Identify lawful bases

Map every type of personal data you process to a lawful basis (consent, legitimate interest, contract, etc.)

2

Write a privacy policy

Publish a GDPR-compliant privacy policy accessible from your homepage, signup page, and mobile app

3

Implement consent mechanisms

Ensure cookie consent is explicit and granular. No pre-ticked boxes. Consent must be freely given, specific, and withdrawable

4

Create data subject rights workflows

Build processes to handle Subject Access Requests (SARs), erasure requests, and data portability in time (30 days)

5

Sign Data Processing Agreements (DPAs)

Execute DPAs with all processors who handle personal data on your behalf: email providers, analytics tools, CRM, hosting

6

Maintain a Record of Processing Activities (RoPA)

Document what you process, why, how long you keep it, and who it is shared with

7

Implement breach notification process

Establish a 72-hour internal protocol to identify, contain, and notify a supervisory authority of qualifying data breaches

8

Appoint a contact point

Designate an internal privacy lead. Appoint a Data Protection Officer (DPO) if required by scale or sensitivity of processing

Frequently asked questions

Does my startup need to comply with GDPR?

Yes, if you process personal data of EU/EEA individuals — regardless of where your startup is based. GDPR applies to any organisation processing EU residents' personal data.

What is the minimum GDPR requirement for a pre-revenue startup?

Lawful basis mapping, a transparent privacy policy, data subject rights mechanisms, data processing agreements with processors, and a 72-hour breach notification process.

What is the GDPR penalty for startups?

Up to €20M or 4% of global annual turnover. For pre-revenue startups, the immediate risks are enforcement orders, reputational damage, and enterprise customers requiring compliance from vendors.

Get your GDPR gap assessed

GeraCompliance fixed-fee GDPR sprint for startups. Results in 5 business days.

Request a GDPR sprint