Compliance
GDPR (for US Startups)
Quick definition
EU General Data Protection Regulation governing how you handle personal data of EU residents — even if you're a US company.
GDPR (General Data Protection Regulation, 2018) applies to any company processing personal data of EU residents, regardless of where the company is based. Requirements: lawful basis for processing, data subject rights (access, deletion, portability), data breach notification within 72 hours, appointment of a Data Protection Officer (DPO) in some cases. Penalties: up to €20M or 4% of annual global revenue. Most US startups become subject when they sign their first EU customer.
Related compliance terms
SOC 2 Type I vs Type II
Type I attests controls are designed correctly at a point in time; Type II attests they operated effectively over 6–12 months.
SOC 1
Attestation report focused on internal controls over financial reporting (ICFR). Relevant for vendors whose services affect customers' financial statements.
HIPAA Compliance for Startups
Healthcare Information Privacy regulation governing protected health information (PHI). Required for any startup handling patient data.
CCPA / CPRA
California Consumer Privacy Act (2020) + California Privacy Rights Act (2023). Grants California residents data privacy rights similar to GDPR.
Frequently asked questions
- What is GDPR (for US Startups)?
- GDPR (General Data Protection Regulation, 2018) applies to any company processing personal data of EU residents, regardless of where the company is based. Requirements: lawful basis for processing, data subject rights (access, deletion, portability), data breach notification within 72 hours, appointment of a Data Protection Officer (DPO) in some cases. Penalties: up to €20M or 4% of annual global revenue. Most US startups become subject when they sign their first EU customer.
- Why is GDPR (for US Startups) important for startups?
- GDPR (for US Startups) is a compliance concept that matters for startup founders because it directly affects fundraising readiness, financial decision-making, or operational discipline at the stage where mistakes are expensive to undo. Founders who understand it have a meaningfully easier time in diligence, board meetings, and investor conversations.
- What category does GDPR (for US Startups) belong to?
- GDPR (for US Startups) is a Compliance term in the StartupCFO finance glossary — alongside other compliance concepts that founders, CFOs, and accountants use in daily startup operations and reporting.
- Where can I learn more about GDPR (for US Startups)?
- Beyond this definition, see the related compliance terms below, or explore StartupCFO's insights and tools that put GDPR (for US Startups) in context. For specific situations, talk to a fractional CFO who can walk through your numbers.
Got a finance question that needs more than a definition?
Talk to a real CFO. 30 minutes, no contract, free.
