Glossary

What is GDPR?

GDPR (the General Data Protection Regulation, EU 2016/679) is the European Union's data protection law, in force since May 25, 2018. It applies to any organization that processes personal data of people in the EU — including US-based SaaS companies — and defines 6 lawful bases for processing, 8 data subject rights, and fines up to €20M or 4% of global annual turnover.

What GDPR is

GDPR is the General Data Protection Regulation (Regulation EU 2016/679), in force since May 25, 2018. It governs how organizations process personal data of people in the EU and EEA, and is enforced by national data-protection authorities — the ICO in the UK (under UK GDPR), CNIL in France, Bundesbeauftragte in Germany, and so on.

Even if you're not in the EU: GDPR's territorial scope (Article 3) reaches outside the EU. If your US SaaS processes data of EU residents — paying customers, free-trial signups, even just identifiable analytics on EU visitors — you're in scope.

Who GDPR applies to

Key terms

The 6 lawful bases (Article 6)

  1. Consent — freely given, specific, informed, unambiguous, as easy to withdraw as to give. Pre-ticked boxes don't count.
  2. Contract — necessary to perform a contract with the data subject, or pre-contractual steps at their request.
  3. Legal obligation — required by EU or member-state law.
  4. Vital interests — protecting someone's life. Rare for SaaS.
  5. Public task — only for public authorities.
  6. Legitimate interests — balanced against data subject's rights via a documented Legitimate Interests Assessment (LIA).
Typical SaaS pattern: account management = contract. Security logging = legitimate interests. Marketing to existing customers = legitimate interests (soft opt-in). Marketing to prospects = consent.

The 8 data subject rights

  1. Right to be informed (Articles 13-14) — your privacy notice must explain what data, why, and on what basis.
  2. Right of access (Article 15) — subjects can request a copy of everything you hold ("subject access request" / SAR).
  3. Right to rectification (Article 16) — correct inaccurate data.
  4. Right to erasure / right to be forgotten (Article 17) — delete their data, with limited exemptions.
  5. Right to restrict processing (Article 18) — pause processing while a dispute is resolved.
  6. Right to data portability (Article 20) — receive data in machine-readable format, or transmit to another controller.
  7. Right to object (Article 21) — to legitimate-interests processing, direct marketing, or research.
  8. Rights re: automated decision-making (Article 22) — including human review of significant automated decisions.

You must respond within 30 days, free of charge. Build the SAR workflow before you have to use it.

DPIA, DPO, DPA, SCCs

Breach notification

Penalties

TierMax fineExamples
Lower (Article 83(4))€10M or 2% global turnoverMissing DPO, inadequate DPIA, breach-notification failures, record-keeping
Higher (Article 83(5))€20M or 4% global turnoverProcessing without lawful basis, ignoring rights requests, illegal transfers, special-category violations

Big-ticket fines (Meta €1.2B, Amazon €746M, TikTok €345M) make headlines but most SME enforcement is €10K-€500K. Reputational damage usually hurts more than the fine.

GDPR vs other privacy regulations

RegulationGeographyNotes
GDPREU + EEASets the bar globally
UK GDPR + DPA 2018UKNear-identical to EU GDPR post-Brexit
CCPA / CPRACaliforniaSimilar shape, narrower rights, revenue/data thresholds
LGPDBrazilClosely modeled on GDPR
PIPLChinaGDPR-shaped with strict data-localization

GDPR in one platform.

SAR workflows, breach register, DPIA tracking, DPA inventory — pre-mapped to GDPR articles. 7-day trial.

Start your free trial →