GDPR startup baseline — minimum compliance for EU users
Updated
If you have any EU users, GDPR applies. Here's the minimum baseline: lawful basis, DPA, breach notification, DSAR.
For: Startups with any EU users (even one user makes you in scope)
Public-facing
- Privacy Policy published at /legal/privacy (use /templates/privacy-policy)critical
- Cookie banner if using cookies (consent management)critical
- Sub-processor list at /sub-processors (or in Privacy Policy)critical
Customer-facing (B2B)
- DPA template ready (use /templates/dpa)critical
- Standard Contractual Clauses (SCCs) for non-EU data transfer
- EU representative designated (if non-EU provider)critical
Internal
- Lawful basis documented per processing purposecritical
- Records of processing activities (Article 30)critical
- Data subject rights flow tested (DSAR, deletion, portability)critical
- Breach notification process — 72 hours to supervisory authority (Article 33)critical
Technical
- Encryption at rest + in transitcritical
- Access control + MFA (Article 32 appropriate measures)critical
- Securie running on every PR (vulnerability management evidence)
- Audit log of customer-data access