All companies with customers in Europe must comply with EU data protection laws. While we know this is not the first priority for early-stage start-ups, compliance becomes ever more important once you start to scale or decide to expand to European markets. We’ve put together a short guide to help with the basics.

Why Should You Care About Data Protection

• Show fundraising readiness – VCs and enterprise investors increasingly expect GDPR compliance as part of due diligence. Having clear data protection practices signals you’re ready to scale and is seen as a major green flag – it reduces investor risk by showing you safeguard data and have thought long-term.

• Land enterprise deals and build trust – Being privacy-compliant helps land deals faster**.** Enterprise customers will ask about your data practices and privacy controls. Many large B2B clients have security questionnaires or contract clauses to ensure vendor compliance. If you can easily meet their requirements, clients are more likely to sign up and less likely to demand exhaustive audits.

• Avoid fines and legal headaches – GDPR fines can reach €20M or 4% of worldwide revenue. For a young startup, even smaller fines or legal injunctions can be devastating. Beyond fines, regulators can order you to stop processing data, delete datasets, or face lawsuits from affected users.

When Should You Care About Data Protection

• Before raising a Series X round.

• If you’re dealing with a lot of sensitive personal information (e.g. if you’re in finance, healthcare, AI or ad tech).

• Specifically for AI start-ups, you are usually be required to do a data protection impact assessment (see below) before you roll out a new product.

• If you’re selling to enterprise clients in Europe.

• When you start having 50+ employees.

Practical Steps to Ensure GDPR Compliance

1. Data Mapping

Start with a personal data audit. Identify all the personal data your startup collects, processes, or stores, and map out the data flows. Be thorough – “personal data” under GDPR includes not only names and emails but also things like IP addresses, device IDs, location data, etc. Document where data comes from, where it’s stored, and who you share it with. This inventory (usually in the form of a register/spreadsheet) is the basis for all other compliance steps.

2. Privacy Policy

Draft a clear, user-friendly privacy (and cookie) policy and keep it up to date. Having a public privacy notice is a core obligation under GDPR. This policy should transparently explain what data you collect, how and why you use it, and who you share it with. At a minimum, include: your company’s contact info, the categories of personal information collected (e.g. names, emails, sensor data), the purposes of processing each category, the legal basis for each purpose, any third parties or sub-processors (e.g. analytics or cloud providers), information on international data transfers (if any), how long you retain data, and how individuals can exercise their rights. Make sure users can find this policy easily, e.g. link it on your website/app.

3. Legal Basis for Processing

For each category of personal data and processing activity, determine the valid legal basis under GDPR. GDPR requires that you have a specific allowed reason (a “lawful basis”) to process personal data – the main ones include consent, contractual necessity, legal obligation, legitimate interests, etc. For example, if you send marketing emails, you likely need consent, whereas fulfilling a user’s purchase may fall under contractual necessity. Document the legal basis for each use of data in your privacy policy and processing register.

4. Vendor Compliance

If you use third-party services to process personal data (cloud hosts, SaaS tools, analytics, etc.), you must ensure they also comply with GDPR. In practice, this means signing Data Processing Agreements (DPAs) with each vendor who processes personal data on your behalf. A DPA is a contract that binds the vendor to GDPR standards – it will specify how they handle the data, security measures, breach notification duties, and that they only process data per your instructions. Using a vendor without a DPA is a violation on your part and could lead to fines. Additionally, if any personal data is transferred outside the EEA, you need to implement approved transfer mechanisms. The most common are Standard Contractual Clauses (SCCs) – standardized clauses published by the EU to ensure data leaving the EU still gets GDPR-level protection. Maintain a list of all vendors with whom you share personal data, perform at least basic due diligence (review their privacy practices, check data centers location, certifications like ISO27001 or EU-US Data Privacy Framework, etc.).

5. Risk and Impact Assessments

If you’re processing data in a way that may pose a risk to your users (e.g. you’re using new tech like AI, deal with health data, process large volumes of personal data), you need to conduct periodic risk assessments. For any high-risk processing, consider performing a deeper Data Protection Impact Assessment (DPIA). In short, you need to lay out how you process the data, what are the risks and how you’ll mitigate them. Such assessments are especially relevant for companies operating in the AI, finance and health sectors.

6. User Rights

Under GDPR, EU citizens (your users, customers, or even employees) have strong data subject rights. Key rights include: the right to access their personal data (they can request a copy of all data you have about them), the right to rectification (correcting inaccurate data), and the right to erasure (also known as the “right to be forgotten,” i.e. delete their data on request). As a startup, you should set up some simple channels and procedures to handle these requests. This can be as easy as setting up an email address through which users can reach your team for privacy requests. When a request comes in, you’ll need to verify the person’s identity (to protect against fraud), then gather and act on their data as required. Document each request and your response, as regulators may ask for evidence that you comply with rights obligations.

7. Incident Response and Data Breach Reporting

Despite your best efforts, data breaches can happen – what matters is that you handle them properly. Put in place an incident response plan that defines how you detect, investigate, and contain security incidents. Under GDPR, if a breach occurs, you have a legal obligation to notify the authorities “without undue delay and not later than 72 hours” after becoming aware of it. This means you need to move quickly: assess what happened, what data was involved, how many people affected, and what measures you are taking to mitigate harm. Having pre-drafted breach notification templates with the information regulators expect (e.g. nature of the breach, number of records, likely consequences, and corrective actions) can save precious time.

Common Pitfalls and How to Avoid Them

No Legal Basis or Consent (Case of Clearview AI). A notorious example of “what not to do” is the story of Clearview AI, a facial recognition startup. Clearview built an extensive database of billions of people’s photos by scraping images from the web and social media without consent. They lacked any valid legal basis for this processing and did not inform individuals at all – blatant GDPR violations. European regulators took action and fined Clearview €30.5 million for this unlawful data collection, and some countries ordered them to delete all EU personal data.

If your AI startup is handling personal data (especially by web scraping or training AI models), you must ensure a valid legal basis and give individuals notice and choice.

Ignoring Transparency and User Rights (Case of ChatGPT in Italy). In early 2023, ChatGPT was temporarily banned in Italy after the Italian Data Protection Authority found it was collecting and using personal data without an adequate legal basis and without informing users properly. There were concerns that ChatGPT’s training process used personal data in ways users didn’t expect and that there was no easy way for Europeans to request deletion or opt-out. To get the ban lifted, OpenAI rushed to implement measures: they updated their privacy notices, added an age gate to protect minors, and provided a form for users to object to use of their data in training. Although service resumed, OpenAI later was still fined €15 million for the initial GDPR infringements.

Lack of transparency and control can cost you both in downtime and fines. To avoid this pitfall, clearly disclose your data practices (especially for uses like training AI models on user data) and implement measures to respect user rights.

Need help?

Reach out to founders@curatedai.eu or book a call if you’re looking for compliance support or just want to know more about data protection.