DATA PRIVACY & GDPR | SEPTEMBER 10, 2025

The Essential GDPR Due Diligence Checklist for Startup Investors

By: Anton Sudnik, Managing Partner

Investing in a startup, that first spark of belief in a new idea, is about so much more than numbers. We look for a vision, for a team with fire in their eyes. We dig into the financials, the market, the traction. But there’s a quiet, often unseen risk hiding in plain sight: a company's relationship with its data. But I've learned that a startup’s approach to GDPR isn’t a footnote; it tells you if they respect their users, if they understand what it means to be responsible.

Neglecting this can feel like a small misstep at the beginning, but it can quickly become a heavy burden, a legal storm with fines big enough to sink even the most promising ship. And it’s not just about the money. It's about trust. Your trust as an investor, and the trust the company needs to build with every single user.

A magnifying glass examining a clean legal document, symbolizing GDPR due diligence for startup investors.
This material is for informational purposes only and does not constitute legal advice. We recommend that you seek advice from a qualified lawyer.

What is Personal Data Under GDPR?

GDPR's Article 4 defines personal data as any information relating to an identified or identifiable natural person. This is a very broad definition and includes direct identifiers like a name, an email address, or a phone number. It also includes indirect identifiers such as an IP address, a cookie ID, or even an employee ID number. Essentially, if you can use a piece of information, either alone or in combination with other information, to pinpoint a specific person, it's considered personal data.

Data Controller vs. Data Processor

Under the GDPR, the distinction between a data controller and a data processor is fundamental because it assigns specific responsibilities and liabilities to each role. Think of a data controller as the 'why' and 'how,' while the data processor is the 'what' and 'for whom.'

The Data Controller

A data controller is the person, company, or public authority that, alone or jointly with others, determines the purposes and means of processing personal data. They are the decision-maker, the one who calls the shots regarding the data. They decide why the data is being collected and how it will be used.

For example, a company that collects customer email addresses to send out a newsletter is a data controller. It decided to collect the emails (the 'why') and how to use them (to send newsletters).

The controller has the primary responsibility for GDPR compliance. Their duties include:

  • Ensuring the data is processed lawfully.
  • Having a valid legal basis for all processing activities.
  • Implementing appropriate security measures to protect the data.
  • Responding to data subject requests (e.g., requests to access or delete data).

The Data Processor

A data processor is a person, company, or public authority that processes personal data on behalf of a data controller. They don't decide the purpose or means of the data processing; they simply follow the controller's instructions.

Using the previous example, if the company uses a third-party email marketing service (like Mailchimp) to send its newsletters, that service is the data processor. The marketing service processes the email addresses on the company's behalf and according to its instructions.

The processor's responsibilities under GDPR include:

  • Processing data only as instructed by the controller.
  • Implementing its own technical and organizational security measures.
  • Assisting the controller with their GDPR compliance obligations, such as helping with data subject requests or breach notifications.
  • Entering into a legally binding Data Processing Agreement (DPA) with the controller that outlines the terms of the data processing.

For an investor, the dual role presents a twofold risk:

  • Risk as a Controller: A GDPR violation related to a startup's own data (e.g., a data breach of employee or customer information) can lead to direct fines and reputational damage.
  • Risk as a Processor: A violation of a DPA can lead to a lawsuit from the client (the controller) and may also expose the startup to regulatory fines if the breach is severe. The startup's failure to protect client data can also cause the client to lose trust and terminate the contract, affecting the startup's revenue.

Therefore, for an investor, verifying that a startup has clear and effective policies for handling both types of data—its own as a controller and its clients' as a processor—is a fundamental part of a thorough risk assessment. It's a key indicator of a company's operational maturity and legal compliance.

Lawful Basis for Processing Data

It's essential for any organization to have a valid legal basis for processing personal data under the General Data Protection Regulation (GDPR). Without one, the processing is unlawful. GDPR Article 6 outlines six specific lawful bases. No single basis is "better" than another; the most appropriate one depends on the specific context and purpose of the data processing.

Here is a breakdown of the six legal grounds:

1. Consent

Consent is one of the most well-known bases. It means the individual has given clear, affirmative consent for you to process their personal data for a specific purpose. For consent to be valid under GDPR, it must be freely given, specific, informed, and unambiguous. The individual must have a genuine choice, and it must be as easy to withdraw consent as it is to give it.

2. Contractual Necessity

This basis applies when the processing is necessary for the performance of a contract to which the individual is a party, or to take steps at the individual's request before entering into a contract. For example, an e-commerce company needs to process a customer's address to deliver a product they have purchased.

3. Legal Obligation

This is used when the processing is necessary for you to comply with a legal obligation. This is a common basis for companies that are required by law to provide certain data to government authorities for tax, health, or safety purposes. It must be a specific legal requirement, not a contractual one.

4. Vital Interests

This basis is reserved for situations where the processing is necessary to protect someone's life. It is typically used in emergency situations, such as a hospital processing a patient's medical data when they are unconscious and unable to give consent. This is a very narrow and specific basis and should not be relied upon for general business purposes.

5. Public Task

This ground applies when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This is primarily relevant to public sector organizations, like government bodies or public health agencies, that are performing their official functions as defined by law.

6. Legitimate Interests

This is the most flexible of the six bases. It allows processing when it is necessary for your legitimate interests or the legitimate interests of a third party, unless those interests are overridden by the fundamental rights and freedoms of the data subject. Using this basis requires a "balancing test" where you must weigh your interests against the individual's rights. Common examples include fraud prevention, direct marketing, and network security. It is important to be transparent about your use of this basis.

Record of Processing Activities (ROPA)

Under GDPR Article 30, a company must maintain a Record of Processing Activities (ROPA), which is essentially a detailed data map. This is a mandatory internal document, not something typically made public. Investors should verify its existence and review its contents during due diligence.

What an Investor Should Look for in a Company's ROPA

1. What Data Is Collected and Processed

The ROPA must provide a clear inventory of all personal data the company handles. This includes identifying the categories of data subjects (e.g., customers, employees, website visitors) and the types of personal data collected from each group (e.g., names, email addresses, IP addresses, sensitive personal data like health information).

2. The Purpose of Data Processing

The document must explicitly state the specific purposes for which each type of personal data is processed. For example, it should clarify if data is being processed for marketing, product development, order fulfillment, or HR management. This helps to ensure the company adheres to the GDPR principle of purpose limitation.

3. Legal Basis for Processing

For each processing activity listed, the ROPA must document the lawful basis under which the data is being processed (e.g., consent, contractual necessity, or legitimate interests). This is a critical point for an investor, as it shows the company's understanding of its legal obligations.

4. Data Storage and Retention

The ROPA should detail where the data is stored (e.g., cloud servers, physical databases) and specify the data retention periods for each type of personal data. This demonstrates compliance with the GDPR's storage limitation principle, ensuring data isn't kept longer than necessary.

5. Third-Party Data Sharing

The document must identify any third parties with whom the company shares personal data. This includes service providers, partners, or analytics companies. It's crucial for the ROPA to clarify if Data Processing Agreements (DPAs) are in place with these third parties, which is a key requirement for maintaining data security and accountability.

6. International Data Transfers

If personal data is transferred outside of the European Economic Area (EEA), the ROPA must specify the country or organization to which the data is transferred and outline the legal mechanism used for the transfer (e.g., Standard Contractual Clauses). This addresses a significant area of risk for global businesses.

Why it is important

This part of the Record of Processing Activities (ROPA) is important because it's the fundamental step in understanding a company's data footprint. It provides a clear, documented overview of all the personal data a company is responsible for. Without this inventory, it's impossible to ensure compliance with the other principles of GDPR. It also directly addresses the principle of data minimization, as the company must clearly justify why it needs to collect each type of data from each group. For an investor, this shows that the company has a foundational understanding of its data and isn't just collecting it indiscriminately.

When performing due diligence, an investor must go beyond simply confirming that a Record of Processing Activities (ROPA) exists. The crucial step is to verify if this document is both comprehensive and accurate. You must check whether the record meticulously details all categories of personal data being collected, from basic user credentials to more sensitive information like usage data, location data, and financial details. Furthermore, you need to ensure the ROPA clearly outlines the specific purpose for each processing activity, the identity of all third parties with whom data is shared, and the established data retention periods for every data type. A well-maintained and transparent ROPA demonstrates the startup's operational maturity and its commitment to the core principles of data minimization and accountability, significantly reducing potential legal and financial risks for your investment.

Financial Penalties

The failure to maintain a proper ROPA is a direct violation of GDPR. Although specific public records of fines levied solely for a lack of ROPA are not as common as fines for data breaches or lack of consent, the ROPA is a foundational document. When a data breach or other violation occurs, a company’s lack of a ROPA or an inaccurate one is often discovered during the regulatory investigation and contributes to the total fine. This shows a lack of accountability and diligence.

Telenor (Norway): Norway’s data protection authority fined the telecommunications company Telenor for inadequate organizational measures, specifically citing the lack of a proper ROPA and issues with the independence of its Data Protection Officer. The fine was part of a larger enforcement action that highlighted a failure to meet fundamental organizational GDPR requirements.

Fines for these "administrative" failures can be up to €10 million or 2% of a company’s global annual turnover, whichever is greater. While this might be less than the 4% maximum for data breaches, it can still be devastating for a small startup.

During due diligence, verifying that a startup has a documented lawful basis for every data processing activity is one of the most critical steps. Under GDPR Article 6, every instance of collecting, storing, or using personal data must be justified by one of the six legal grounds. An investor needs to ensure that for each processing activity listed in the company’s ROPA (Record of Processing Activities), a valid legal basis is clearly identified and supported.

Failure to properly document a lawful basis exposes the company to significant fines and legal challenges. It's a key indicator of whether the startup views GDPR as a genuine legal obligation or just a formality.

The Rationale Behind the Lawful Basis

For each processing activity in the ROPA, you should not only confirm the stated lawful basis but also probe into the details of its implementation.

1. Consent

If the startup relies on consent for a specific activity (e.g., marketing emails), you should check:

  • Is it documented? Is there a clear record of when and how consent was obtained from each individual?
  • Is it granular and specific? Was consent requested for distinct purposes, or was it a general, all-encompassing checkbox?
  • Is it easily revocable? Can users easily withdraw their consent, for instance, via an unsubscribe link in an email?

2. Contractual Necessity

For data processing based on contractual necessity, you need to confirm:

  • Is the data truly necessary? Is the processing of this specific data essential to fulfilling the terms of the service or contract with the user? For example, is a user's shipping address truly required to deliver a purchased product?
  • Is it transparent? Is this necessity clearly explained to the user in the company's terms of service or privacy policy?

3. Legitimate Interests

If a startup claims legitimate interest, this is a more flexible but also riskier basis. You must ask:

  • Has a Legitimate Interest Assessment (LIA) been conducted? A formal LIA is a balancing test that weighs the company's interest against the individual's rights and freedoms. This assessment should be documented and available for review.
  • Are the interests clear and justifiable? The stated interests (e.g., fraud prevention, network security) should be specific and genuinely necessary for the business.

When examining a startup's lawful basis, the rationale is what truly matters, especially for the more flexible and scrutinized grounds like 'legitimate interests' and 'consent'. A simple label in the ROPA is not enough; investors must probe for the reasoning behind the choice.

Rationale for 'Legitimate Interests'

This basis is powerful but carries the highest burden of proof. The rationale must be documented in a Legitimate Interest Assessment (LIA), which is essentially a three-part balancing test:

  • Purpose Test: The startup must clearly identify and articulate a specific, legitimate business interest. For example, is it for preventing fraud, ensuring network security, or direct marketing? The rationale should explain *why* this purpose is legitimate and necessary for the business.
  • Necessity Test: The startup must demonstrate that the processing is the only way to achieve that legitimate interest. The rationale should explain *why* a less intrusive method (e.g., using anonymized data instead of personal data) would not suffice.
  • Balancing Test: This is the most crucial part. The rationale must show that the startup has weighed its interests against the individual's fundamental rights and freedoms. This involves considering the nature of the data, the reasonable expectations of the individual, and the potential impact of the processing. A strong rationale will explain how the company has implemented safeguards to protect the individual’s rights. For an investor, a well-documented LIA demonstrates a deep and responsible approach to data privacy.

Rationale for 'Consent'

GDPR consent is a high-bar standard. The rationale is embedded in the process itself, and you must check if it aligns with the four key criteria:

  • Freely Given: The rationale should show there was no pressure or imbalance of power. For instance, a user's access to a service should not be made conditional on them consenting to marketing emails.
  • Specific: The rationale must prove that consent was given for a specific, defined purpose. A single opt-in cannot be used for multiple, unrelated purposes. The rationale should outline how the company ensures consent is granular.
  • Informed: The rationale is found in the privacy policy and consent forms. The information provided must be clear, concise, and easy for the average user to understand. It should outline who is collecting the data, what data is being collected, and for what purpose.
  • Unambiguous: The rationale must prove there was a clear, affirmative action. This means no pre-ticked boxes. The rationale should explain the mechanism used to obtain consent (e.g., an explicit click of a button) and how it's logged and recorded.

A startup's ability to provide a clear, documented, and justifiable rationale for their chosen lawful basis is a powerful indicator of their legal maturity and a key factor in mitigating your investment risk.

Financial Penalties

The absence of a lawful basis for data processing is a fundamental violation of GDPR Article 6, and it can result in a fine of up to €20 million or 4% of a company's total worldwide annual turnover, whichever is greater. Regulatory bodies often cite a lack of lawful basis as a key factor when imposing fines.

A well-known example is Google, which was fined €50 million by France's CNIL for failing to provide a valid lawful basis for processing user data for personalized advertising. The regulator ruled that the company's consent mechanism was not specific enough and was bundled with other terms, making it invalid.

Another example is Criteo, an advertising technology company, which was fined €40 million by the same French authority for relying on invalid consent for its targeted advertising practices.

The Italian Data Protection Authority also fined Axpo Italia €10 million for processing customer data without a valid legal basis.

Privacy Policy: Transparency & Clarity

When assessing a startup's privacy policy, investors should focus on three key criteria: accessibility, clarity, and plain language. GDPR Article 12 mandates that privacy information must be "concise, transparent, intelligible, and easily accessible." This is not just a legal requirement but a fundamental indicator of a company’s respect for its users and its commitment to transparency.

1. Accessibility

A privacy policy is not compliant if users have to hunt for it. Investors should check that the policy is:

  • Easily Findable: Is there a clear, persistent link to the privacy policy in the website's footer and on all data-collection forms (e.g., sign-up pages, contact forms)?
  • Layered, Not Buried: For a complex service, a layered approach is often best. Is there a short, high-level summary that links to more detailed sections? This allows users to quickly understand the key points without being overwhelmed by a lengthy legal document.
  • Format-Friendly: Is the policy readable on all devices? A poorly formatted PDF that requires zooming and scrolling on a mobile device is a red flag. The policy should be designed for web and mobile use with clear headings and a table of contents.

2. Clarity and Plain Language

This is where many startups fail, often using generic templates filled with legal jargon. A compliant privacy policy must use language that is easy for the average person to understand.

An investor should check for:

  • Lack of "Legalese": Does the policy avoid overly complex legal or technical terms? Instead of "data subject," does it use "you" or "user"? Instead of "data controller," does it say "we" or "the company"?
  • Specificity Over Vagueness: The policy should be direct and avoid vague terms like "we may collect data to improve our services" or "data might be shared with some partners." A clear policy specifies what data is collected, why, and with whom it is shared.
  • Direct and Active Voice: A well-written policy uses active sentences that clearly state the company's actions (e.g., "We collect your email address to send you our newsletter") rather than passive, evasive language.

A privacy policy that is hidden, difficult to read, or filled with vague language is not only non-compliant but also a major moral and reputational risk. It signals a lack of respect for user privacy, which can be devastating for a startup's brand and customer loyalty. Fines have been issued for lack of transparency, proving that this is a critical check for any discerning investor.

The Required Information in a Privacy Policy

For an investor, simply seeing that a startup has a privacy policy is not enough. The policy must contain specific, mandatory information as outlined in GDPR Articles 13 and 14. This isn't optional—it's the core of the GDPR's transparency principle. A policy that omits any of this information is non-compliant and represents a significant legal risk.

Here is a detailed checklist of what an investor should look for, confirming that all required information is present:

1. Identity and Contact Details

Controller's Identity: The policy must clearly state the name and contact details of the company responsible for the data (the data controller). This establishes who is legally accountable.

DPO Contact: If the startup is required to have a Data Protection Officer (DPO), their contact details must be included. This is an essential point of contact for users and regulators.

2. Purpose and Legal Basis

Purpose of Processing: The policy must explicitly state the purpose for which the personal data is being processed. It should be specific, not a vague statement like "to improve our services."

Lawful Basis: For each processing activity, the privacy policy must clearly identify the corresponding legal basis (e.g., consent, contractual necessity, legitimate interests) as outlined in GDPR Article 6.

3. Data Flow and Sharing

Data Recipients: The policy must list the categories of recipients with whom personal data is shared. This includes third-party service providers (e.g., analytics platforms, cloud hosting providers, marketing tools) and partners.

International Transfers: If the startup transfers personal data outside the EU/EEA, the policy must state the fact of the transfer, the country it is being sent to, and the legal safeguards in place to protect the data (e.g., Standard Contractual Clauses, adequacy decisions).

4. Data Lifecycle

Data Retention Periods: The policy must state how long the personal data will be stored, or, if a specific period isn't possible, the criteria used to determine that period (e.g., "until the user deletes their account" or "for a period of 7 years as required by tax law").

5. Data Subject Rights

The policy must inform users of all their rights under the GDPR, including:

  • The right to access their data.
  • The right to rectification (to correct inaccurate data).
  • The right to erasure (the "right to be forgotten").
  • The right to restrict processing.
  • The right to data portability.
  • The right to object to processing.
  • The right to withdraw consent at any time (if consent is the legal basis).
  • The right to lodge a complaint with a supervisory authority.

For an investor, a policy that is missing any of these elements is a clear sign of non-compliance. Regulatory bodies, such as France's CNIL, have issued fines to companies for precisely these types of omissions, citing a failure to be transparent about data processing activities. A comprehensive, detailed privacy policy is a foundational element of a legally sound business.

Financial penalties for non-compliance with GDPR Articles 13 and 14 can be severe, with fines for certain violations reaching up to €20 million or 4% of a company's total global annual turnover, whichever is greater. These fines are meant to be effective, proportionate, and dissuasive.

Here are some key takeaways regarding financial penalties and the reasons they were issued:

Reasons for Fines:

Supervisory authorities have issued fines for violations related to the transparency and information requirements of GDPR. The most common reasons include:

  • Insufficient fulfillment of information obligations: Failing to provide all the mandatory information required by Articles 13 and 14 in a clear, concise, and easily accessible manner.
  • Insufficient legal basis for data processing: A company may be fined if it does not clearly state the legal basis for processing personal data, such as a lack of valid consent for data collection.
  • Lack of clear consent and transparency in cookie usage: Many fines have been issued for a lack of transparency regarding the use of cookies and a failure to obtain proper, "freely given" consent from users.
  • Failure to provide data subjects' rights: Penalties have been imposed on companies that fail to provide individuals with the means to exercise their rights, such as accessing their data or requesting its deletion.

Notable Fines

Several companies have faced significant fines for violations related to transparency and information requirements.

  • Meta (Facebook) was fined €405 million by the Irish Data Protection Commission (DPC) for breaches related to the handling of children's data, including making it publicly accessible.
  • Amazon received a €746 million fine from the Luxembourg data protection authority (CNPD) for failing to get "freely given" consent from its users for targeted advertising.
  • TikTok was fined €345 million for various GDPR violations, including a lack of transparency and a failure to protect the data of minors.
  • 1&1 Ionos was fined €9.55 million in Germany for failing to implement sufficient technical and organizational measures to protect customer data in its call centers.

Freely Given

Consent must be given without any pressure or coercion.

What to check: The startup should not make access to its service or a key feature conditional on the user providing consent for an unrelated purpose, such as signing up for marketing emails. For example, a user should be able to create an account without being forced to consent to receive promotional newsletters.

Specific

Consent must be for a specific, defined purpose.

What to check: The startup should not use a single, all-encompassing checkbox to get consent for multiple, different processing activities. For instance, a user should have the option to consent separately for email marketing, third-party data sharing, and push notifications. The purpose of each consent should be clearly stated alongside the checkbox.

Informed

The user must be fully informed about the processing activity they are consenting to.

What to check: The startup's consent forms and privacy notices should use clear, plain language that is easy to understand. The information provided should include the identity of the data controller, the purpose of the processing, the types of data being collected, and the user's right to withdraw consent at any time.

Unambiguous

Consent must be given through a clear, affirmative action.

What to check: The startup should not use pre-ticked boxes or other passive forms of consent. The user must actively and consciously make a choice, such as clicking a button labeled "I agree" or ticking an empty box. This action should be logged and recorded to create an audit trail, which proves that valid consent was obtained.

Beyond a compliant user interface, a startup must have a robust internal system to record and manage consent. This is a core part of GDPR's accountability principle, which places the burden of proof on the data controller. An investor must verify that the startup can demonstrate when and how consent was obtained for any processing activity based on this lawful basis.

A startup needs to maintain a detailed audit trail for every user's consent. This is a secure log that can be presented to a regulatory authority if requested. The audit trail should record:

  • Who consented: The user's name or a unique identifier (like a user ID or an IP address).
  • When they consented: A timestamp (date and time) of the consent.
  • How they consented: The method used to obtain consent (e.g., a checkbox click on a specific form, an opt-in button on a cookie banner).
  • What they consented to: A record of the exact text and version of the consent statement, as well as the privacy policy in effect at that time.

A compliant system also allows for ongoing consent management. An investor should check that the startup's system allows users to:

  • Withdraw consent easily: It should be as simple to withdraw consent as it was to give it. This means having an easily accessible "unsubscribe" link in emails or a privacy dashboard where users can manage their preferences.
  • Change their mind: The system should track changes to consent, documenting when a user has opted out or altered their permissions.

A startup that relies on a manual or ad-hoc system for consent management is at high risk. A sophisticated, automated Consent Management Platform (CMP) is often a strong indicator of a company's commitment to compliance and a key part of reducing long-term legal and reputational risk.

It must be as easy for a user to withdraw consent as it is to give it. A startup's consent mechanism isn't compliant if it makes the withdrawal process overly complicated, difficult to find, or burdensome. An investor should check that the startup's system for withdrawing consent is straightforward and frictionless.

An investor should verify that the startup provides a clear, accessible, and simple method for users to withdraw their consent at any time. This means looking for things like:

  • Prominent Withdrawal Options: If consent was given via a website, there should be an easy-to-find link on the site itself (e.g., in a privacy dashboard, account settings, or a dedicated "Unsubscribe" page). A good example is the unsubscribe button at the bottom of a marketing email.
  • No Unnecessary Steps: The withdrawal process should not require users to go through multiple steps, fill out complex forms, or contact customer support by phone. If consent was given with a single click, it should ideally be withdrawn with a single click as well.
  • Immediate Effect: The startup's system should be configured to immediately stop all processing of data that was reliant on the withdrawn consent. This includes ceasing marketing communications and ceasing any data sharing with third parties for that specific purpose.

A startup that passes these checks demonstrates a strong commitment to user rights and GDPR compliance. Conversely, a startup that makes consent withdrawal difficult is at a high risk of attracting regulatory fines and significant reputational damage.

Under GDPR Article 32, a startup must implement a combination of technical and organizational measures to ensure a level of security appropriate to the risks of processing personal data. For an investor, verifying these measures is a crucial part of legal due diligence and risk assessment.

Technical Measures

These are the technological safeguards a startup has in place to protect data. An investor should look for:

  • Pseudonymization and Encryption: Are personal data fields pseudonymized or encrypted? Pseudonymization replaces direct identifiers with artificial ones, while encryption renders data unreadable without a key. Both are highly recommended by GDPR to protect data, especially when it is stored or in transit.
  • Access Controls: Is access to personal data restricted? This means implementing role-based access control (RBAC), ensuring that employees can only access the data strictly necessary for their job functions.
  • Security of Systems: Are the company's systems and services resilient to attacks? This includes using firewalls, antivirus software, and secure network configurations.

Organizational Measures

These are the internal policies, procedures, and human-centric safeguards that support the technical measures. An investor should check for:

  • Security Testing: Does the startup have a process for regularly testing, assessing, and evaluating the effectiveness of its security measures? This can include vulnerability scans and regular penetration testing. The GDPR explicitly mandates this process.
  • Employee Training: Are all employees, particularly those who handle personal data, trained on data protection best practices and internal security policies? This helps prevent human error, which is a leading cause of data breaches.
  • Incident Response Plan: Does the company have a clear, documented plan for what to do in the event of a data breach? This plan should include procedures for detecting, reporting (to authorities within 72 hours), and responding to a breach.

A startup that can demonstrate a well-documented and actively managed set of both technical and organizational measures shows a mature and responsible approach to data security, significantly reducing the risk of a breach and its associated legal and financial consequences.

Incident Response Plan

Having a formal incident response plan is a mandatory requirement for a startup under GDPR. Article 32 requires companies to have technical and organizational measures in place to ensure the ongoing security of personal data. A formal incident response plan is a key part of this obligation.

An investor should verify the existence and quality of this plan, as it is a crucial indicator of a startup's operational maturity and ability to mitigate a major risk. A well-designed plan allows a startup to act swiftly and decisively, which can minimize financial losses and reputational damage.

Key Components of the Plan

A robust incident response plan should have documented procedures for the following:

  • Detection: How does the startup identify a potential data breach? This could involve automated monitoring systems, regular security audits, or a clear internal reporting procedure for employees to flag suspicious activity. The plan should outline who is responsible for receiving and assessing these reports.
  • Containment & Investigation: Once a breach is suspected, the plan must detail the steps to contain it, prevent further damage, and investigate its root cause. This includes a clear chain of command, with assigned roles and responsibilities for a dedicated incident response team.
  • Notification: The GDPR sets strict deadlines for reporting a breach. The plan must specify the process for notifying the relevant supervisory authority (e.g., the local data protection office) within 72 hours of becoming aware of the breach. It should also outline the criteria for notifying affected individuals, which is required if the breach is "likely to result in a high risk to their rights and freedoms."
  • Documentation: The plan must include a protocol for documenting all facts related to the breach, its effects, and the remedial actions taken. This is essential for a company to demonstrate its compliance with GDPR to regulators.
  • Post-Incident Review: After an incident is contained and resolved, the plan should require a review to identify lessons learned, improve security measures, and prevent future occurrences.

A startup without a clear, documented plan is not just non-compliant; it's unprepared for one of the most significant risks it faces. The lack of a plan can lead to delayed responses, higher fines, and a catastrophic loss of customer trust.

Having clearly defined internal procedures for handling Data Subject Access Requests (DSARs) is an essential part of GDPR compliance and a critical due diligence point for an investor. The GDPR grants individuals a number of rights over their personal data, and a startup must have a reliable system in place to respond to these requests in a timely and correct manner.

Why DSAR Procedures Are Critical

A lack of a formal process for handling DSARs can lead to significant fines and reputational damage. GDPR gives a company only one month to respond to a DSAR, a period that can be extended by two months for complex cases. Without a clear procedure, a startup is at high risk of missing this deadline, which is a direct violation of the law.

What an Investor Should Check

An investor should verify that the startup has a written, accessible procedure that outlines how it handles all data subject rights, including:

  • Request Identification: How does the company ensure that all staff, regardless of their department, can recognize a DSAR, whether it's submitted via email, a form, or even a verbal request? The procedure should include training for all employees on how to spot and escalate these requests.
  • Identity Verification: The procedure must outline how the startup will verify the identity of the person making the request to avoid a data breach. This is a crucial step to ensure personal data isn't mistakenly given to the wrong person.
  • Data Retrieval and Review: The plan should detail who is responsible for collecting the requested data from all relevant systems and where it is stored. It should also include a process for redacting any information that belongs to other individuals or is subject to legal exemptions.
  • Response and Delivery: The procedure must specify how the startup will communicate its response to the data subject in a secure, transparent, and easy-to-understand format. This includes providing a copy of the data and explaining the user's rights, such as their right to complain to a supervisory authority.

A startup that can demonstrate a well-documented and actively managed DSAR process shows a strong commitment to compliance and accountability, which significantly lowers legal risk for an investor. Conversely, a startup that struggles to articulate this process is likely to face a fine or legal action down the line.

So a startup's procedures for handling Data Subject Rights (DSRs) must be capable of fulfilling requests within the one-month statutory timeframe to be compliant with GDPR. This deadline applies to all of the key rights, including access, rectification, erasure, portability, and objection.

A startup's ability to meet this deadline is a critical indicator of its operational maturity and compliance. The one-month clock starts from the moment the request is received, and it can be a significant challenge for companies that lack a streamlined process.

The One-Month Deadline

The GDPR specifies that a data controller must respond to a DSR "without undue delay and at the latest within one month of receipt of the request." While this is the general rule, there are a few exceptions:

  • Complexity: The timeframe can be extended by up to two additional months for complex or numerous requests. However, the startup must inform the individual of this extension and provide a reason for the delay within the initial one-month period.
  • Identity Verification: The clock doesn't start until the startup has all the information it needs to verify the requestor's identity. However, they must ask for this information promptly.
  • Manifestly Unfounded or Excessive: If the request is clearly unfounded or repetitive, the startup may be able to refuse the request or charge a reasonable fee. However, the startup must still inform the individual of this decision and their right to lodge a complaint within the one-month timeframe.

Why This is a Critical Check

For an investor, verifying the startup's ability to meet this deadline is a non-negotiable part of due diligence. A company that fails to respond on time is in direct violation of GDPR and risks regulatory scrutiny, fines, and lawsuits. Fines have been issued for the mere failure to respond to a DSAR, proving that this is a critical administrative step that can lead to significant financial and reputational harm.

Therefore, an investor should not just ask if a startup has a procedure, but also test whether that procedure is robust enough to handle these requests efficiently and within the legal timeframe.

This is a critical question for any investor, as the GDPR imposes strict conditions on the transfer of personal data outside the European Economic Area (EEA). The core principle is that the level of data protection afforded by the GDPR must not be compromised when data is moved to a "third country."

If the startup does not transfer any personal data outside the EEA, this section is straightforward, but it's important to document this fact.

If it does, an investor must verify what legal mechanism is being used to ensure adequate protection. The primary legal mechanisms for transferring personal data outside the EEA are:

An adequacy decision is a formal decision by the European Commission stating that a country or a specific sector within a country provides a level of data protection that is essentially equivalent to the EU's. Data can flow freely to these "adequate" countries without any further safeguards. Examples of countries with adequacy decisions include Canada (for commercial organizations), Japan, New Zealand, Switzerland, the United Kingdom, and the United States (under the EU-U.S. Data Privacy Framework).

What to check:

  • Does the startup transfer data to a country on the EU's adequacy list?
  • Is the specific data transfer covered by the adequacy decision? For instance, the adequacy decision for Canada only applies to commercial organizations.

If a country lacks an adequacy decision, the startup must implement appropriate safeguards to protect the data. The most common and widely used safeguard is Standard Contractual Clauses (SCCs). These are pre-approved model data protection clauses adopted by the European Commission.

What to check:

  • Are SCCs in place? Does the startup have a signed agreement with the third-party data recipient that includes the latest version of the EU's Standard Contractual Clauses?
  • Have they performed a Transfer Impact Assessment (TIA)? The Schrems II court ruling requires that companies using SCCs also assess whether the laws of the recipient country could undermine the protections provided by the SCCs. The startup should have a documented assessment showing they considered this risk and implemented supplementary measures if needed.

Binding Corporate Rules (BCRs) are a set of legally binding internal rules that allow multinational companies to transfer personal data within their corporate group. BCRs are a complex and time-consuming mechanism to implement, as they must be approved by a data protection authority. Due to this complexity, they are typically used only by large, multinational corporations and are generally not a practical solution for most startups.

What to check:

  • Is the startup part of a larger corporate group that has an approved set of BCRs?
  • If so, does the data transfer fall within the scope of those rules?

In the absence of an adequacy decision or appropriate safeguards, a startup can rely on derogations for specific situations. This is generally seen as a last resort and should be used infrequently. The most common derogation is explicit consent. The data subject must be fully informed of the risks of the transfer to a country without adequate safeguards and then explicitly consent to the transfer.

For an investor, verifying the startup's approach to data transfers is non-negotiable. A company that cannot demonstrate a clear, lawful basis for transferring data outside the EEA is a significant liability and a high-risk investment.

Based on the findings from the due diligence checklist, a comprehensive analysis of potential risks associated with any identified GDPR compliance failures must be conducted. These risks fall into three main categories: financial, legal, and reputational.

The GDPR's administrative fines are designed to be a serious deterrent. An investor must calculate the potential financial liability a startup could face for non-compliance.

Maximum Administrative Fine: Under GDPR Article 83, infringements are categorized into two tiers. The most serious violations, such as processing data without a lawful basis or violating data subject rights, can lead to a fine of up to €20 million or 4% of the company's total worldwide annual turnover from the preceding financial year, whichever is higher. Less severe violations can result in fines up to €10 million or 2%. An investor should calculate what these numbers would mean for the startup.

DPA Investigations: It is crucial to determine if the startup has ever been investigated by a Data Protection Authority (DPA). A history of investigations, even if they did not result in a fine, is a major red flag as it indicates a prior failure in compliance and could lead to increased scrutiny from regulators.

Beyond fines, non-compliance exposes a company to significant legal threats that can disrupt operations and drain resources.

History of Incidents: The investor should look for any history of data breaches, security incidents, or complaints from data subjects. The absence of a formal incident response plan or a track record of mishandling Data Subject Access Requests (DSARs) indicates a higher legal risk.

Private Litigation: GDPR Article 82 grants individuals the right to sue for compensation for both material (e.g., financial loss) and non-material (e.g., emotional distress) damage resulting from a GDPR infringement. A well-documented compliance failure could lead to a wave of costly private lawsuits, especially from groups of affected individuals.

For a startup, a reputation for being careless with data can be more damaging than any fine. In the modern digital economy, trust is a core business asset, and a GDPR failure can erode it in an instant.

Brand Damage: A significant GDPR fine or a publicly disclosed data breach can lead to widespread negative media attention and social media backlash. This can make the brand synonymous with "unsafe" or "untrustworthy." For a young company trying to build market share, this kind of reputational hit can be catastrophic and is often difficult to recover from.

Loss of Customer Trust: A data privacy failure can lead to a mass exodus of customers, as users become more vigilant about who they trust with their personal information. Studies have shown that a significant percentage of consumers will terminate their relationship with a company after a data breach.

Difficulty Attracting Talent and Partners: A company with a poor privacy reputation may also find it difficult to attract top talent and secure partnerships, as other organizations may be hesitant to be associated with a high-risk entity. This can stifle a startup’s growth and long-term viability.

This report synthesizes the findings of our GDPR due diligence on the target startup, assessing its compliance posture, identifying critical risks, and providing a final investment recommendation.

The startup's GDPR compliance posture is currently rated Amber. While the company has made initial steps toward compliance, particularly in having a basic privacy policy and some security measures, significant gaps were identified in core areas. The current posture exposes the company to a high level of avoidable risk that could jeopardize the investment.

The most significant risks identified during this due diligence process are:

  • Lawful Basis Failure: The startup's rationale for processing data, especially under "legitimate interests," is poorly documented and has not been subjected to a formal Legitimate Interest Assessment (LIA). This exposes the company to a high risk of being found in violation of GDPR Article 6, which is a top-tier offense.
  • Administrative Inadequacy: There is no formal, documented Record of Processing Activities (ROPA) as required by GDPR Article 30. This signals a fundamental lack of accountability and would be a major aggravating factor in any regulatory investigation. Furthermore, the absence of a clear process for handling Data Subject Access Requests (DSARs) makes it highly likely the company would fail to meet the one-month statutory timeframe, risking fines and legal action.
  • Data Transfer Vulnerability: The startup transfers personal data outside the EEA but has not implemented legally sound mechanisms like updated Standard Contractual Clauses (SCCs). There is no evidence of a Transfer Impact Assessment (TIA) to evaluate the risks of transferring data to a third country, a direct violation of post-Schrems II requirements.
  • Financial and Reputational Exposure: The identified issues could lead to a fine of up to €20 million or 4% of the company's annual global turnover. Moreover, a public fine or a data breach would result in a severe loss of customer trust and negative media attention. This would not only harm the brand but could also lead to costly private litigation from affected data subjects under GDPR Article 82.

Based on this analysis, the recommendation is to proceed with the investment only on the condition that a clear, binding GDPR remediation plan is executed. The plan should be a pre-condition to the final closing of the deal and must include:

  • A dedicated budget for GDPR remediation, including hiring a qualified Data Protection Officer (DPO) or external counsel to overhaul compliance.
  • A strict timeline for creating and implementing all missing documentation, including a robust ROPA, a formal incident response plan, and legally valid data transfer mechanisms.
  • Mandatory technical and organizational improvements, such as implementing a proper Consent Management Platform (CMP) and training all employees on data protection best practices.

Without a strong commitment to fixing these compliance issues, the potential for catastrophic financial, legal, and reputational harm makes the investment too risky to recommend at this time.

Ultimately, a company's relationship with data is a reflection of its values. How are you building trust with your users and protecting what matters most?

Anton Sudnik, Managing Partner of Archstone Counsel

About the Author

Anton Sudnik, Esq. is the founder and Managing Partner of Archstone Counsel. He provides strategic guidance to global businesses in technology and finance, drawing on over 18 years of experience in capital markets and corporate law. Read full bio...

} Я прошу прощения. Я хотел бы изменить только заголовок