GDPR for SaaS: a compliance checklist before going live

The minimal checklist before going live

Before launch, the right question is not “are we legally perfect?” It is “have we understood which data the product processes, why, with whom, and for how long?”

• Which personal data does the product actually process?
• Who can access it, under which role logic and with which logging?
• Are the vendor and subprocessors contractually framed?
• Can people be properly informed and exercise their rights?
• Have retention and deletion policies been designed?

The often underestimated point

GDPR is not only about documentation. It depends on very concrete product elements: where data appears, who sees it, how it moves, and how it gets deleted.

A product can have a correct privacy policy while still being badly designed from a compliance standpoint: permissions that are too broad, easy data export, incomplete deletion, or no clear logic for retention periods.

That is why a useful GDPR audit must also talk about roles, screens, architecture, and operations. Compliance is not only decided in a register; it is decided in how the tool actually works.

What France Num reminds us of

A solution can look simple, fast, and functional while actually processing a large amount of sensitive or structurally important data. The first task is therefore to map it properly.

That mapping must be concrete enough to inform product decisions afterward: admin screens, permissions, exports, subprocessors, retention, and the ability to answer data-subject requests.

Decisions to settle before launch

Before going live, several points need explicit decisions: which data is truly necessary, who can see it, which exports are allowed, and which traces must be kept to remain able to explain the processing.

This work may seem less spectacular than a product feature, but it prevents heavy corrective work later, commercial blockers, or improvised answers when a client, employee, or partner asks for guarantees.