GDPR Readiness
Checklist for Startups
If you have EU or UK users, GDPR applies, wherever your company is based. Check off what you've actually handled across consent, data rights, security, and vendors to get a readiness score and the gaps that carry the most risk.
Legal basis & consent
Transparency
Data subject rights
Data handling & security
Third parties & transfers
Accountability
GDPR readiness score
0/100
High compliance risk
You are handling personal data without the basics in place. Start with the fixes below.
Fix these first
Want compliance built into the product, not bolted on?
Book a Free Call →A practical self-assessment, not legal advice. For a binding compliance opinion, consult a qualified data-protection lawyer or your DPO. Nothing you enter leaves your browser.
Compliance is cheaper built in than bolted on
Most GDPR problems are not malice, they are architecture. Data gets collected because a form had an extra field, spread to vendors nobody signed agreements with, and stored in places no one can fully account for. By the time a user asks for deletion or a regulator asks a question, untangling it is expensive.
Handled early, the same requirements are cheap: collect less, encrypt it, sign the DPAs, and build a real path to export and delete a user. That is data protection by design, and it is far easier to bake in now than to retrofit after the product has scaled. This checklist shows you where you stand and what to fix first.
Frequently asked questions
Does GDPR apply to my startup?
If you offer goods or services to people in the EU or UK, or monitor their behaviour (analytics, ads), GDPR/UK GDPR applies regardless of where your company is based. A US startup with EU users is in scope. So is a tiny side project that collects EU emails.
What are the biggest GDPR risks for a small startup?
The common ones are: a cookie banner that does not let users actually reject tracking, no real way to delete a user's data on request, no Data Processing Agreements with the vendors that handle your data (hosting, analytics, Stripe, email), and sending EU data to US services without a transfer safeguard. Those are weighted highest in this checklist.
Is a privacy policy enough to be GDPR compliant?
No. A privacy policy is necessary but it is only the transparency piece. Compliance also requires a lawful basis for processing, valid consent where needed, the ability to honour data subject rights (access, deletion), security measures, vendor agreements, and accountability records. A policy describing things you do not actually do can make matters worse.
Do I need a Data Protection Officer (DPO)?
Most early startups do not, but you should assess it rather than assume. A DPO is required if your core activities involve large-scale systematic monitoring or large-scale processing of special-category data. If not required, you still benefit from naming someone accountable for data protection.
Is this checklist legal advice?
No. It is a practical self-assessment to help you find and prioritise gaps. For a binding compliance opinion, consult a qualified data-protection lawyer or your DPO. Nothing you enter is stored or leaves your browser.
Building for the European market?
I help European startups build GDPR and data protection into the product from the start, so compliance is an architecture decision, not a fire drill.