The short answer

GDPR does not have a certificate. You cannot pass an exam, receive a seal, and declare yourself done. What you are building toward is a defensible compliance baseline: a documented set of controls, legal bases, policies, and processes that stand up to scrutiny from an EU data protection authority (DPA) or a security-conscious enterprise buyer.

For most SaaS companies starting from scratch, that baseline takes 2 to 4 months. Companies with mature engineering practices and existing documentation (SOC 2, ISO 27001) typically land closer to 8 to 10 weeks. Companies with no prior compliance work, fragmented data systems, or a large number of third-party processors often find 4 months is realistic rather than conservative.

This post explains what drives the timeline, where teams consistently underestimate the work, and what "GDPR compliant" actually means when an EU prospect asks.


What GDPR requires in practice for a SaaS company

GDPR applies to any company that processes personal data of EU residents, regardless of where the company is based. A SaaS company in Hanoi with paying customers in Germany must comply.

The practical requirements group into five areas.

For each category of personal data you collect, you need a documented legal justification: consent, contract performance, legitimate interests, legal obligation, vital interests, or public task. Most B2B SaaS companies rely primarily on contract and legitimate interests. Getting this wrong is one of the most common causes of DPA complaints.

Article 30 requires organizations to maintain a written record of all processing activities (ROPA). This is a register of what data you collect, why, how long you keep it, who you share it with, and what security measures protect it. For a typical SaaS product, a ROPA has 15 to 40 entries covering product data, support, analytics, marketing, and HR.

Your privacy notice is a public-facing document telling users what data you collect, why, for how long, their rights, and how to exercise them. Most SaaS companies already have a privacy policy, but many do not meet GDPR's specificity requirements.

EU individuals can request access to, correction of, deletion of, or portability of their personal data (data subject rights, or DSRs). You need a defined process to receive, verify, route, and fulfill these requests within 30 days.

GDPR requires notification to the relevant DPA within 72 hours of becoming aware of a breach that poses risk to individuals. You need a documented incident response procedure that includes this notification step.

Every vendor or subprocessor that handles personal data on your behalf needs a signed Data Processing Agreement (DPA) with Article 28-compliant terms. For a typical SaaS company, this list runs longer than expected: AWS, Stripe, Intercom, Mixpanel, HubSpot, Sentry, and every other tool your product or team uses.

Most SaaS companies do not need a mandatory Data Protection Officer (DPO). The requirement applies to companies that process data at large scale, process sensitive categories of data, or engage in systematic monitoring of individuals. If you are a B2B SaaS handling standard business contact and usage data, you likely do not need one.


The four phases and realistic time estimates

Phase 1: Data mapping and inventory (3-5 weeks)

This is the phase that almost always takes longer than expected. Data mapping means answering: what personal data does your system collect, where does it live, who can access it, and what does it flow into?

For a SaaS product, data rarely lives in one place. You have production databases, staging and development environments (which often contain copies of production data), analytics tools, customer support platforms, email tools, error tracking systems, internal Slack channels, and cloud storage. Each one is a processing activity that needs to be in your ROPA.

The discovery process is partly technical (scanning data stores, reviewing API integrations) and partly organizational (interviewing product, engineering, sales, and support teams). It requires someone with authority to get responses and access.

Skipping this phase, or doing it superficially, breaks everything that follows. Your legal basis documentation, retention schedules, and DPA agreements all depend on knowing what data you actually have.

With a complete data map, you can assign a legal basis to each processing activity, set retention periods, and draft or update your privacy notice. This phase also produces your ROPA in its structured form.

If you are using legitimate interests as a legal basis for any processing, you need a Legitimate Interests Assessment (LIA) for each one. An LIA is a written test balancing your interests against the privacy interests of the individual. It is not long, but it is required and needs to be specific to each use case.

Phase 3: Process and policy implementation (2-3 weeks)

This covers your DSR handling process, data breach response procedure, and internal training. For DSRs, you need a way for individuals to submit requests, a way to verify identity, a workflow to route the request to the right team (engineering, support, data), and a way to track the 30-day deadline.

Many companies handle DSRs manually at first, using a form that routes to a compliance inbox. This works at low volume. If you expect a high volume of requests, you will want this connected to your data systems.

Phase 4: Vendor and processor management (ongoing, initial sprint 2-3 weeks)

Identify every third-party vendor that processes personal data on your behalf. Review whether they have signed DPAs available. For large providers (AWS, Google, Stripe), these are usually click-through agreements in their terms or admin consoles. For smaller vendors, you may need to request a custom DPA.

Create a processor register: a list of all approved subprocessors, the legal basis for using them, the data categories they access, and their data transfer mechanisms if they are outside the EU or EEA.


Where SaaS companies typically underestimate the work

Engineering teams routinely copy production data to dev or staging for testing. This data is usually in scope for GDPR, is often less protected than production, and is almost always missing from initial data maps. Cleaning this up, or implementing proper data anonymization in lower environments, can take weeks.

The analytics stack is another common blind spot. Session recording tools, product analytics, A/B testing platforms, and advertising pixels are all processing EU personal data. Each needs a legal basis (usually consent), appropriate notice, and a DPA. If you are running Google Analytics or Facebook Pixel without a cookie consent mechanism that meets GDPR standards, that alone is a significant remediation task.

Your helpdesk, live chat, and CRM contain customer personal data. They need DPAs, retention policies, and sometimes data minimization work: not storing more than you need.

Processor agreement management compounds quickly. A company with 30 SaaS tools in its stack needs 30 DPAs. Tracking whether each one is signed, current, and covers the right data categories is a project in itself. It also needs to stay current: every new tool you onboard needs a DPA before you start using it.

Finally, many companies draft a DSR process but never test it end to end. In practice, a deletion request often touches five or more systems: the product database, the analytics platform, the email tool, the support system, and backups. Mapping and testing these flows before you have a live request from an EU user saves significant time later.


The Vietnam-specific angle

Vietnamese SaaS companies building for or expanding into EU markets are fully in scope for GDPR. The regulation applies based on where your data subjects are located, not where your company is incorporated or your servers are hosted.

There is relevant overlap with Vietnam's own data protection regulation, Decree 13/2023 on Personal Data Protection (PDPD). Both frameworks require consent for certain types of processing, mandate breach notification, give individuals rights over their data, and require contracts with data processors. If you have already done work to comply with PDPD, some of that documentation and process work carries over.

The main gaps between PDPD and GDPR that Vietnamese companies typically need to address:

AreaPDPDGDPR gap
Records of processingNot explicitly required in same formROPA required for companies with 250+ employees or high-risk processing
Legal basis documentationConsent-heavy frameworkGDPR has 6 lawful bases; contract and legitimate interests are commonly used in B2B SaaS
Data transfer mechanismCross-border transfer restrictions existEU-to-non-EU transfers require specific safeguards (SCCs, adequacy decision)
DPO requirementNot required for most companiesAlso not required for most B2B SaaS; criteria differ slightly
DSR response time72 hours for some requests30 days for most DSRs (with possible 60-day extension)

For Vietnamese companies handling EU data, Standard Contractual Clauses (SCCs) are typically the right mechanism for legitimizing data transfers out of the EU to Vietnam. Vietnam does not have an EU adequacy decision. Including SCCs in your DPAs with EU customers or in your terms of service, combined with a Transfer Impact Assessment (TIA), covers this requirement.


What "GDPR compliant" means when an EU prospect asks

When a large EU company asks "are you GDPR compliant?", they are usually checking for three things.

First, can you sign a Data Processing Agreement? Enterprise legal teams will want a DPA with Article 28 terms, a subprocessor list, and your data transfer mechanism. If you cannot produce this, the deal typically stalls.

Second, do you have a privacy notice that meets GDPR specificity requirements? Buyers perform basic due diligence. A vague privacy policy from 2019 is a red flag.

Third, do you have answers to their security questionnaire? Most enterprise buyers use a security questionnaire as part of procurement. Questions will touch on encryption, access controls, incident response, and data residency. GDPR compliance work naturally produces most of these answers.

Being "GDPR compliant" in a sales context means you have a signed DPA ready, your privacy notice is current, your data processing practices are documented, and you can explain how you handle personal data if asked. It does not require a third-party audit or certification (though SOC 2 or ISO 27001, if you have them, provide supporting evidence).


Maintaining compliance after the initial project

Reaching a defensible baseline is not the end. GDPR requires ongoing management.

Your data map becomes outdated as your product evolves and your tool stack changes. Review and update the ROPA at least once a year, and any time you introduce a new processing activity.

Once a year, review your subprocessor list. Check that DPAs are still in place, that vendors have not materially changed their data practices, and that you are still using each tool for the purpose you documented.

Staff who handle personal data (engineering, support, sales, HR) need basic awareness training on GDPR obligations. Document that this training happened. Annual refreshers are standard practice.

Even if a security incident does not meet the threshold for DPA notification, document it. The log demonstrates you have a functioning incident response process.

Track every data subject request received, the response timeline, and the outcome. This is your evidence if a DPA ever investigates a complaint.

The maintenance overhead for a typical SaaS company, after the initial project, is roughly 2 to 4 days of work per quarter. The initial project front-loads the work. Keeping it current is mostly a matter of process and discipline.


A realistic project structure

If you are planning a GDPR compliance project, the timeline looks roughly like this for a SaaS company with 20 to 100 employees and a moderately complex tech stack:

PhaseActivitiesTime estimate
Data mappingInventory all personal data across product, dev/staging, analytics, support, marketing, HR; build ROPA draft3 to 5 weeks
Legal basis and documentationAssign legal basis per activity; draft LIAs where needed; update privacy notice; finalize ROPA2 to 3 weeks
Process implementationDSR workflow; breach response procedure; staff training; internal policy documentation2 to 3 weeks
Vendor managementIdentify all processors; collect or sign DPAs; build subprocessor register; implement SCCs for cross-border transfers2 to 3 weeks
Review and testingTest DSR process end to end; internal review of all documentation; DPA template ready for customer review1 to 2 weeks

Total: 10 to 16 weeks working at a reasonable pace, with the data mapping phase determining the actual length. Companies where engineering owns data mapping and can run it concurrently with legal documentation can compress to 8 to 10 weeks.

Platforms like pTrackly reduce the mapping and documentation phases by pre-building the framework: ROPA templates, LIA templates, processor registers, and DSR tracking workflows come pre-configured rather than built from scratch. The time savings are most significant in phases 1 and 4, which are typically the longest.

The most common mistake is starting the project too late, usually when an EU enterprise deal is already in due diligence. Start early. An EU expansion without GDPR baseline documentation in place will slow down your first few deals in ways that hurt more than the compliance project itself.

Tags:
GDPR compliance timelinehow long GDPRGDPR for SaaSdata protection complianceEU market SaaS