Safeguard
Regulatory Compliance

GDPR compliance basics for US and global SaaS companies

A practical GDPR compliance checklist for US and global SaaS teams: fines, deadlines, and why documentation platforms like Vanta don't cover Article 32's technical controls.

Marina Petrov
Compliance Analyst
7 min read

If your SaaS product has even one European user, GDPR compliance isn't optional — and the checklist is longer than most vendors admit. The regulation has been enforceable since May 25, 2018, and enforcement has only intensified since: in 2023 alone, EU regulators issued over €2.1 billion in fines, including Meta's record-setting €1.2 billion penalty for unlawful data transfers. US-based SaaS companies frequently assume GDPR is a European problem. It isn't. If you process personal data belonging to anyone in the EU — a free-trial signup, a support ticket, an analytics cookie — you're in scope, regardless of where your servers or headquarters sit. Compliance platforms like Vanta have built businesses around automating the paperwork side of this: policies, questionnaires, vendor attestations. But GDPR's toughest requirement, Article 32's "appropriate technical and organizational measures," lives in your codebase and infrastructure, not your document library. Here's what an actual GDPR compliance checklist requires, and where the gaps usually are.

Does GDPR Actually Apply to US SaaS Companies?

Yes — GDPR applies to any company processing personal data of individuals located in the EU, regardless of where the company is incorporated. This is Article 3's "extraterritorial scope," and it's the single most misunderstood part of the regulation among US founders. You don't need an EU office, an EU entity, or EU revenue to be covered. You just need EU-based users, and "processing" is defined broadly enough to include collecting an email address, storing an IP address in server logs, or running Google Analytics on a marketing site. A useful rule of thumb: if your signup form doesn't ask for a country and you have any European traffic, assume you're in scope. Companies that determine they're out of scope entirely are rare — most SaaS products with any public-facing website end up processing EU personal data whether they intended to or not.

What Belongs on a GDPR Compliance Checklist?

A working GDPR compliance checklist has five non-negotiable items: a lawful basis for each processing activity, a Records of Processing Activities (ROPA) document under Article 30, Data Processing Agreements (DPAs) with every subprocessor, a 72-hour breach notification process under Article 33, and "appropriate technical and organizational measures" under Article 32. The first four are largely documentation and contract work — the part that tools like Vanta handle well through templated policies and vendor tracking. The fifth item, Article 32, is where most SaaS companies underinvest, because it's the only requirement that's actually about engineering: encryption of personal data at rest and in transit, the ability to restore availability after an incident, and — critically for anyone shipping software — securing the components and third-party code that touch that data. A ROPA document doesn't stop a compromised npm package from exfiltrating customer records; a monitored software supply chain does.

How Much Can a GDPR Violation Actually Cost?

GDPR fines can reach €20 million or 4% of a company's total global annual revenue, whichever is higher, and regulators have shown they'll use the upper bound. Meta's €1.2 billion fine in May 2023 was for transferring EU user data to the US without adequate safeguards. Amazon was fined €746 million by Luxembourg's CNPD in 2021 over advertising practices. Uber was fined €290 million in 2024 by the Dutch DPA, also over EU-US data transfers. British Airways and Marriott were fined £20 million and £18.4 million respectively by the UK ICO following data breaches traced back to inadequate security controls — not missing paperwork. For a mid-sized SaaS company with $10 million in annual revenue, the 4% threshold caps out at $400,000, but reputational damage and customer churn after a public breach disclosure routinely exceed the fine itself. Breach-driven fines, not documentation gaps, produce the largest numbers on this list.

How Long Does It Take to Get GDPR-Ready?

Most SaaS companies need 3 to 6 months to reach a defensible GDPR posture, assuming they're starting from a SOC 2-adjacent baseline and not from zero. The timeline breaks down roughly as: 2-4 weeks for a data mapping exercise and ROPA, 4-6 weeks to get DPAs signed with every vendor and subprocessor that touches personal data, 2-3 weeks to stand up a documented breach response process that can meet the 72-hour notification window, and — the part that consistently runs long — 8-12 weeks or more to actually implement and verify the technical controls under Article 32, including dependency and vulnerability management across your software supply chain. Compliance automation platforms compress the documentation timeline significantly, sometimes to days, by auto-generating policies and tracking vendor questionnaires. They do far less to compress the technical control timeline, because verifying encryption, patching, and third-party component security isn't a form you fill out — it's a continuous state you have to prove.

Why Isn't a Vanta-Style Trust Report Enough on Its Own?

A Vanta-style trust report demonstrates that policies exist and evidence has been collected; it doesn't verify that the underlying software is actually secure against the risks GDPR Article 32 is written for. Vanta and similar platforms excel at the governance layer: automated SOC 2 and ISO 27001 evidence collection, vendor risk questionnaires, policy templates, and access-review tracking. That's real value, and most companies pursuing GDPR alongside SOC 2 should use a platform like it for exactly that purpose. But GDPR's Article 32 explicitly calls for measures that are appropriate "to the risk," and the risk landscape for SaaS in 2026 is dominated by software supply chain attacks — compromised dependencies, unsigned build artifacts, and vulnerable open-source packages that account for a large share of breach root causes in recent industry incident reports. A trust report can confirm you have a vulnerability management policy on file. It can't tell you whether the container image you shipped last night has a critical CVE in a transitive dependency, or whether an unreviewed package update introduced a backdoor. That gap between documented policy and verified runtime reality is exactly where regulators focus once a breach happens, because that's where the actual harm to data subjects occurs.

How Safeguard Helps

Safeguard is built to close the specific gap that GDPR Article 32 creates and that governance-first platforms don't fully address: proving, continuously, that the software touching personal data is actually secure — not just documented as such. Where a compliance automation tool tracks whether you have a vendor security policy, Safeguard scans your actual software supply chain — dependencies, build pipelines, container images, and third-party components — for the vulnerabilities, license risks, and integrity issues that turn into the breach notifications Article 33 requires you to send within 72 hours.

Concretely, Safeguard generates and maintains Software Bills of Materials (SBOMs) so your Article 30 processing records can be backed by an accurate inventory of what code is actually running against personal data, not a stale spreadsheet. It continuously monitors dependencies for newly disclosed CVEs, so a vulnerability affecting a package you shipped six months ago surfaces the day it's disclosed rather than during your next annual audit. It verifies build and artifact provenance, giving you evidence — real, technical evidence, not a self-attestation — that the software your DPAs promise is secure hasn't been tampered with between commit and deployment. And it flags risky third-party and open-source components before they reach production, which directly supports the "appropriate technical measures" language regulators cite when assessing fines after an incident.

For teams already running Vanta or a similar platform for SOC 2 and documentation workflows, Safeguard isn't a replacement — it's the technical control layer that platform doesn't reach. You keep your policies, DPAs, and audit evidence trail in place, and you add continuous, verifiable proof that the code processing your users' personal data is being watched for the exact risks GDPR was written to reduce. When a regulator or an enterprise customer asks not just "do you have a security policy" but "prove your software supply chain is secure," Safeguard is the answer that holds up.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.