GDPR Compliance: What It Requires, How to Achieve It, and What B2B Companies Must Know
A practical guide to GDPR compliance — what the regulation requires, how it applies to B2B SaaS companies, key obligations around data processing, data subject rights, international transfers, and how to demonstrate compliance to enterprise buyers.
GDPR Compliance: What It Requires, How to Achieve It, and What B2B Companies Must Know
The General Data Protection Regulation (GDPR) is the EU's data protection framework, governing how organisations collect, process, store, and transfer personal data of individuals in the European Economic Area. Since its enforcement in May 2018, it has become the global benchmark for data protection law.
For B2B SaaS companies, GDPR is not optional — it applies whenever you process personal data of EEA residents, whether as a controller (your own employees, website visitors, marketing contacts) or as a processor (data your customers store in your platform). Understanding your obligations, implementing the required controls, and demonstrating compliance to buyers are essential for operating in the European market.
This guide covers what GDPR requires, how it applies to B2B companies, key compliance obligations, and how to demonstrate compliance to enterprise buyers.
GDPR Fundamentals
Key Definitions
| Term | Definition | B2B SaaS Example |
|---|---|---|
| Personal data | Any information relating to an identified or identifiable natural person | Employee names in your customer's HR platform |
| Data controller | Determines purposes and means of processing | Your customer (the business using your software) |
| Data processor | Processes data on behalf of the controller | You (the SaaS provider) |
| Data subject | The individual whose data is processed | An employee of your customer |
| Processing | Any operation performed on personal data | Storage, retrieval, analysis, deletion |
| Supervisory authority | National data protection authority | CNIL (France), BfDI (Germany), ICO (UK) |
The Six Lawful Bases for Processing
GDPR Article 6 requires a lawful basis for every processing activity:
- Consent — The data subject has given clear consent for a specific purpose
- Contractual necessity — Processing is necessary to fulfil a contract with the data subject
- Legal obligation — Processing is required by law
- Vital interests — Processing is necessary to protect someone's life
- Public interest — Processing is necessary for a task in the public interest
- Legitimate interests — Processing is necessary for legitimate interests, balanced against the data subject's rights
For B2B SaaS companies, the most common bases are contractual necessity (processing data to provide the service) and legitimate interests (business operations, security, analytics).
Core Principles (Article 5)
All processing must comply with these principles:
- Lawfulness, fairness, and transparency — Process data legally, fairly, and in a transparent manner
- Purpose limitation — Collect data for specified, explicit, and legitimate purposes
- Data minimisation — Process only data that is necessary for the stated purpose
- Accuracy — Keep personal data accurate and up to date
- Storage limitation — Retain data only as long as necessary
- Integrity and confidentiality — Process data securely with appropriate technical and organisational measures
- Accountability — Demonstrate compliance with all principles
GDPR Obligations for B2B SaaS Companies
As a Data Processor
When you process data on behalf of your customers, your obligations include:
Data Processing Agreement (Article 28)
- Enter into a DPA with each customer specifying the scope, purpose, and duration of processing
- Document the types of personal data and categories of data subjects
- Specify your obligations regarding security, sub-processors, and data subject rights
Sub-Processor Management (Article 28(2)-(4))
- Obtain general or specific written authorisation from the controller before engaging sub-processors
- Maintain an up-to-date list of sub-processors with descriptions of processing activities
- Impose equivalent data protection obligations on sub-processors through contracts
- Notify controllers of any changes to sub-processors with sufficient advance notice
Security Measures (Article 32)
- Implement appropriate technical and organisational measures, including:
- Pseudonymisation and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience
- Ability to restore data availability and access after an incident
- Regular testing of security measures
Data Breach Notification (Article 33)
- Notify the controller without undue delay after becoming aware of a personal data breach
- Provide all information necessary for the controller to fulfil their notification obligations
Assistance with Data Subject Rights (Article 28(3)(e))
- Assist the controller in responding to data subject requests (access, deletion, portability, etc.)
- Implement technical capabilities to fulfil these requests efficiently
Record of Processing Activities (Article 30(2))
- Maintain records of processing activities carried out on behalf of controllers
- Include contact details, categories of processing, international transfers, and security measures
As a Data Controller
For your own data processing activities (employees, website visitors, marketing), you are the controller with additional obligations:
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
- Appoint a Data Protection Officer (DPO) if required
- Maintain a comprehensive Record of Processing Activities (Article 30(1))
- Implement privacy by design and by default (Article 25)
- Respond directly to data subject requests within one month
International Data Transfers
The Transfer Framework
GDPR restricts transfers of personal data outside the EEA. Permitted transfer mechanisms:
Adequacy Decisions (Article 45) Transfers to countries the European Commission has determined provide adequate data protection. Current adequacy decisions include: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (under the EU-US Data Privacy Framework), and Uruguay.
Standard Contractual Clauses (Article 46(2)(c)) Pre-approved contractual terms between data exporter and importer. The current SCCs (adopted June 2021) include four modules covering different controller/processor relationships.
Binding Corporate Rules (Article 47) Internal data protection policies approved by supervisory authorities for intra-group transfers in multinational organisations.
The Schrems II Impact
The Schrems II decision (July 2020) added practical requirements:
- Transfer Impact Assessments (TIAs): Assess whether the destination country's laws ensure adequate protection
- Supplementary measures: Implement additional technical, contractual, or organisational measures if necessary
- Case-by-case assessment: Evaluate each transfer relationship individually
Practical Approach for B2B SaaS
- Map all data flows involving personal data transfers outside the EEA
- Identify the legal basis for each transfer (adequacy, SCCs, BCRs)
- Conduct TIAs for transfers to non-adequate countries
- Implement supplementary measures where needed (encryption, access controls)
- Document everything for accountability and audit purposes
Data Subject Rights
Rights Overview
| Right | Article | Controller Response Time | Processor Obligation |
|---|---|---|---|
| Access | 15 | One month | Assist controller |
| Rectification | 16 | One month | Assist controller |
| Erasure | 17 | One month | Assist controller |
| Restriction | 18 | One month | Assist controller |
| Portability | 20 | One month | Assist controller |
| Objection | 21 | Without undue delay | Assist controller |
Implementation for SaaS Companies
As a processor, you need technical capabilities to:
- Export data in a structured, machine-readable format (portability)
- Delete data comprehensively across all systems, backups, and sub-processors (erasure)
- Restrict processing — mark data as restricted and stop processing it
- Locate all data related to a specific individual across your platform
- Provide data to controllers within timeframes that allow them to meet their one-month deadline
Data Breach Management
The 72-Hour Timeline
When a breach occurs:
- Detection: Identify the breach through monitoring, reports, or alerts
- Assessment: Determine the nature, scope, and severity of the breach
- Controller notification (processor obligation): Notify without undue delay
- Authority notification (controller obligation): Within 72 hours of becoming aware
- Individual notification (if high risk): Without undue delay
- Remediation: Contain the breach and implement corrective measures
- Documentation: Record all breaches, regardless of severity
Breach Notification Content
The notification to the supervisory authority must include:
- Nature of the breach (confidentiality, integrity, or availability)
- Categories and approximate number of affected data subjects
- Categories and approximate number of affected data records
- Name and contact details of the DPO or other contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Demonstrating GDPR Compliance
Documentation
Maintain comprehensive documentation:
- Record of Processing Activities (ROPA) — Article 30
- Data Protection Impact Assessments — Article 35
- Data Processing Agreements with all processors and sub-processors
- International transfer documentation (SCCs, TIAs, supplementary measures)
- Privacy policies and notices
- Data breach register
- Consent records (where consent is the legal basis)
- DPO appointment and contact details (if applicable)
Certifications and Standards
While GDPR does not mandate specific certifications, these demonstrate relevant controls:
- ISO 27001 — Information security management system covering GDPR-relevant security measures
- ISO 27701 — Privacy information management extension to ISO 27001, specifically designed for GDPR alignment
- SOC 2 — Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy
- GDPR certification (Article 42) — Emerging certification mechanisms through accredited bodies
Trust Center Publication
Publish GDPR compliance evidence on your Trust Center:
- DPA template available for download or electronic signing
- Sub-processor list with descriptions and data categories
- Privacy policy and data processing documentation
- Data flow documentation showing where data is processed and stored
- Transfer Impact Assessments for non-EEA transfers
- Certification status (ISO 27001, SOC 2, ISO 27701)
- DPO contact information
Common GDPR Compliance Mistakes
Treating GDPR as a One-Time Project
GDPR compliance is ongoing. Data flows change, sub-processors are added, regulations evolve, and new guidance is issued. Build continuous compliance processes, not one-time checklists.
Ignoring Sub-Processor Obligations
Your GDPR compliance is only as strong as your sub-processor chain. Maintain up-to-date sub-processor lists, ensure DPAs are in place, and notify controllers of changes.
Inadequate Data Subject Request Processes
Many B2B SaaS companies lack efficient processes for handling data subject requests. Build technical capabilities for data export, deletion, and restriction before you need them.
Overlooking Data Minimisation
Collecting and retaining more data than necessary increases both compliance burden and breach risk. Implement data retention policies and regularly review what data you actually need.
Assuming Consent is Always Required
Consent is only one of six lawful bases. For B2B SaaS, contractual necessity and legitimate interests are often more appropriate and practical bases for processing.
How Orbiq Supports GDPR Compliance
- Trust Center: Publish your GDPR compliance posture — DPA, sub-processor list, privacy documentation, and certification status for buyer self-service
- Continuous Monitoring: Track GDPR-relevant controls across ISO 27001, SOC 2, and privacy requirements
- Evidence Management: Centralize DPAs, DPIAs, transfer documentation, and breach records in a single compliance platform
- AI-Powered Questionnaires: Auto-respond to GDPR-related security questionnaire questions from your documented controls
Further Reading
- Data Sovereignty — Understanding jurisdictional control over personal data
- Trust Center — Publishing GDPR compliance evidence for buyers
- Information Security Policy — The policy framework supporting GDPR Article 32 measures
- Vendor Risk Assessment — How buyers evaluate GDPR compliance in procurement
This guide is maintained by the Orbiq team. Last updated: March 2026.