SaaS Regulatory Compliance Operations (GDPR, CCPA)

GDPR (General Data Protection Regulation) applies to any company that processes personal data of EU residents, regardless of where the company is headquartered. Most operationally significant requirements: Lawful basis for processing: every category of personal data must have a documented lawful basis for processing — consent, contractual necessity, legal obligation, or legitimate interest. B2B SaaS typically relies on "contractual necessity" for customer data processing and "legitimate interest" for analytics and communications. Data Processing Agreements (DPAs): any vendor that processes customer personal data on your behalf (sub-processors) must sign a DPA. This includes cloud providers (AWS, GCP), analytics tools, support platforms, and marketing tools. Maintaining a current sub-processor list and DPAs is an audit requirement. Data Subject Rights: EU residents have the right to access, correct, delete, and export their personal data. You must have an operational process to respond to DSRs within 30 days. Support Ops typically handles inbound DSR requests — the process is: verify the requester's identity, locate all data from the relevant systems, respond with the provided data or deletion confirmation, and log the request and outcome. Breach notification: a data breach must be reported to the relevant Data Protection Authority within 72 hours of discovery if it poses a risk to individuals. Having a documented breach response process (who is notified, who decides on DPA reporting, what communication goes to affected individuals) before a breach occurs is required.

CCPA (California Consumer Privacy Act), now enhanced by CPRA (California Privacy Rights Act), applies to companies that serve California residents and meet revenue or data volume thresholds. Key differences from GDPR: Opt-out vs. opt-in: GDPR requires opt-in consent for most data processing; CCPA operates on opt-out — customers can opt out of the "sale" of their data (broadly defined) but don't need to consent to standard processing. The "Do Not Sell My Personal Information" link requirement is CCPA-specific. Business threshold: CCPA applies only to companies with > $25M revenue, > 100k consumer records processed annually, or deriving > 50% revenue from selling personal information — smaller companies may be below this threshold for GDPR. CPRA additions (effective 2023): adds consumers's right to correct data (not in original CCPA), establishes the California Privacy Protection Agency (CPPA) as an independent enforcement body, and extends rights to "sensitive personal information" with additional restrictions. Operational compliance for CCPA: privacy notice (conspicuous disclosure of data practices on the website); the "Do Not Sell or Share" mechanism and associated opt-out workflow; a documented data deletion process; employee privacy training; and an annual data inventory update. Companies with EU and California customers must comply with both GDPR and CCPA simultaneously — typically implementing the stricter standard (GDPR) as the global baseline and adding CCPA-specific mechanisms on top.

Privacy compliance program building at a fast-growth SaaS company requires prioritizing foundational elements that prevent the most significant legal risk while maintaining product development velocity. Phased compliance roadmap: Phase 1 — Foundation (months 1–3): data mapping (identify all personal data processed, where it comes from, where it's stored, and who has access); privacy policy and terms of service drafted by legal counsel; DPA templates from your cloud providers and top SaaS vendors signed; internal privacy training for all employees who handle customer data; and a simple DSR intake form (email or web form for access/deletion requests). Phase 2 — Process (months 4–6): documented DSR response procedure (assigning ownership, establishing the 30-day response workflow, logging all DSRs in a tracker); sub-processor management process (reviewing new vendor additions against GDPR requirements, maintaining the sub-processor list, publishing it in the privacy policy); breach response procedure (runbook for the first 72 hours after discovering a breach). Phase 3 — Controls (months 7–12): technical privacy controls (data minimization — only collect what's needed; retention policies — automatically deleting data after defined periods; access controls — limiting who can query customer data); privacy impact assessments (PIAs) for new product features that process sensitive data; and a privacy by design review checkpoint in the product development process. An external privacy counsel or privacy officer engagement is advisable by Phase 2 for companies with significant EU or California customer bases.