Why VCs Care About GDPR
GDPR non-compliance is no longer a theoretical risk — it is a material liability. Fines can reach €20 million or 4% of global annual turnover. For VCs investing in early-stage companies, a GDPR gap means potential financial exposure, reputational risk, and deal friction.
In practice, nearly every Series A due diligence now includes a data protection review. Getting it wrong does not necessarily kill the deal — but it can delay closing, reduce valuation, or result in specific indemnity requirements.
The 10-Point GDPR Audit Checklist
1. Record of Processing Activities (ROPA)
Article 30 GDPR requires a documented register of all personal data processing activities. This is the foundational document that auditors look for first. Minimum content: purposes of processing, categories of data subjects and personal data, recipients, transfers to third countries, retention periods.
2. Privacy Policy
Must comply with Articles 13-14 GDPR. Common gaps: missing legal bases, inadequate description of data subject rights, missing DPO contact information (if applicable), no mention of automated decision-making.
3. Cookie Consent
Cookie banners must offer genuine choice (not just "Accept All"). Analytics and marketing cookies require prior consent. Many startups still use non-compliant banner implementations.
4. Data Processing Agreements (DPAs)
Every third-party processor (cloud hosting, analytics, CRM, email service) requires a DPA per Article 28. Check that DPAs are signed, up to date, and include all mandatory clauses.
5. Sub-processors
Know your sub-processor chain. If you use AWS, Stripe, or Google Cloud, their sub-processors are your concern too. Maintain an up-to-date list.
6. International Data Transfers
After Schrems II, transfers to the US require either reliance on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) with a Transfer Impact Assessment (TIA). Document your transfer mechanism for each non-EEA recipient.
7. Data Subject Rights Procedures
You need documented procedures for handling access requests, deletion requests, portability requests, and objections. Response deadline: 1 month (extendable to 3 in complex cases).
8. Data Protection Officer (DPO)
Mandatory if you process personal data on a large scale or handle sensitive data as a core activity. Even if not mandatory, consider appointing one — it demonstrates maturity to investors.
9. Data Protection Impact Assessment (DPIA)
Required before processing that is "likely to result in a high risk" — including profiling, large-scale monitoring, or processing sensitive data. If your product involves any of these, a DPIA must exist before launch.
10. Breach Response Plan
You have 72 hours to notify the supervisory authority after becoming aware of a personal data breach. Have a documented response procedure, designated team, and template notifications ready.
Timeline: 3 Months Before the Round
- Month 1 — Complete the ROPA, review all DPAs, identify gaps
- Month 2 — Update privacy policy, implement compliant cookie consent, document transfer mechanisms
- Month 3 — Prepare data room materials, run mock audit, finalize breach response plan
Preparing for a funding round? Let us run a GDPR pre-audit so you enter due diligence with confidence.