Does GDPR apply to my US-based SaaS?

Yes if you have any EU/UK users — the GDPR's territorial scope (Article 3) extends to processors and controllers offering goods/services to EU residents OR monitoring their behaviour, regardless of where the company is based. One EU user is enough to trigger full GDPR.

What are the GDPR fines actually like in practice?

Headline fines (€746M Amazon, €405M Meta) come from large-scale violations or repeat offenders. For small SaaS companies, regulator letters tend to come first with a 'fix this in 30 days' notice. Actual small-company fines for first-time violations cluster around €1k-€50k. The bigger risk for early-stage is enterprise procurement — buyers won't sign without a privacy notice, DPA, and DPIA in hand.

Can my AI agents help with GDPR compliance?

Yes. Agents are particularly useful for: building the Article 30 records from the database schema, drafting the privacy notice from the data inventory, drafting answers to DSARs, scanning new PRs for new personal-data flows, and tracking the 30-day DSAR clock. The template ships agent prompts for those steps inline.

How does GDPR interact with US privacy laws like CCPA?

CCPA / CPRA (California), VCDPA (Virginia), CPA (Colorado), and other US state privacy laws share GDPR's broad shape but diverge in detail (consent vs opt-out, definitions of personal data, rights granted). The good news: a GDPR-compliant program covers ~80% of US state law. The remaining 20% is mostly opt-out-of-sale signals (Global Privacy Control), specific notice requirements, and CCPA's broader 'do not sell' right.

Build10 steps3-5 weeks of focused work

Set up GDPR compliance for a SaaS

GDPR-compliant SaaS: Article 30 records up to date, privacy notice matching reality, DPAs signed, DSAR process tested, breach template on the wall.

Open in Dock See every step →

Steps

Data inventory

GDPR compliance plan

DSAR log

+1 more

TitleStatusOwner

Determine if GDPR applies to youshippedYou

Build the data inventory (Article 30 records of processing)activeAgent

Write the privacy notice (and host it at /privacy)queuedYou

Sign DPAs with every sub-processordraftedAgent

…

Public preview of the cloned workspace. Same chrome you'll see after Open in Dock.

GDPR-compliant SaaS: Article 30 records up to date

GDPR-compliant SaaS: Article 30 records up to date, privacy notice matching reality, DPAs signed, DSAR process tested, breach template on the wall.

Spin up an agent for the heavy lifting

Drafts the privacy notice, the Article 30 records, and the DPIA from your actual data flows so the documents match reality.

10 steps, 21 official links, 4 agent prompts

Every external doc the agent needs to cite is pre-loaded into the workspace's Pointers table. No hunting for the right URL mid-draft.

What's inside

Pre-loaded so day one is execution.

5Surfaces

10Steps

4Agent prompts

21Official links

6Tools mapped

Surfaces

tableSteps
tableData inventory
docGDPR compliance plan
tableDSAR log
docStatus

See every step, link, and prompt

How the loop works

Your agent works. Dock shows you what happened.

Open this template and you get a workspace seeded with an agent prompt. Connect your agent — Claude via our MCP, Cursor, your own setup — and it reads, drafts, and posts updates as it goes. You watch Dock for the latest.

01
Connect your agent
Claim an agent invite at trydock.ai/agent-invites — your agent gets an API key scoped to this workspace. Paste the key into Claude Desktop, Cursor, or any MCP client.
02
Your agent reads the workspace
The agent prompt at the top of the workspace tells your agent its role, the cadence to follow, and the surfaces to update. No extra setup — open Dock and your agent already knows what to do.
03
Watch Dock for the latest
Your agent posts to the Status surface after every meaningful action — newest at top. Wire the workspace's webhooks to Slack or email to get pinged in real time.

Wire it up · Claude Desktop

Add Dock as an MCP server in 30 seconds.

{
  "mcpServers": {
    "dock": {
      "command": "npx",
      "args": ["-y", "@trydock/mcp"],
      "env": {
        "DOCK_API_KEY": "<paste from /agent-invites>"
      }
    }
  }
}

Drop into ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or the equivalent on Windows / Linux. Restart Claude Desktop. Ask Claude:“Read trydock.ai/<org>/gdpr-compliance-for-saas and follow the agent prompt.”

Full MCP setup guide Other agent clients (Cursor, custom MCP)

FAQ

Common questions on this template.

What's the minimum I need to do for GDPR compliance?

The realistic minimum: (1) data inventory / Article 30 records, (2) privacy notice that matches your actual data flows, (3) DPAs signed with every sub-processor, (4) DSAR intake process tested end-to-end, (5) cookie consent banner that respects 'Reject All', (6) breach response plan with the 72-hour notification timeline, (7) EU representative if you're non-EU based. The big-bang myth is that GDPR requires a privacy team; reality is it requires documentation discipline.

Do I need a DPO (Data Protection Officer)?

Most SaaS doesn't. Article 37 requires a DPO only for: public authorities, organizations whose core activities include large-scale regular monitoring of individuals (e.g. ad-tech), or organizations doing large-scale special-category processing (health, biometric, etc.). A B2B SaaS with EU users almost always needs an EU representative (Article 27) but not a DPO.

Related templates

More from Build

BuildMixed

Launch your iPhone app on the App Store

10-step plan from 'I have a build on my Mac' to 'users are downloading from search.' Real Apple gates, real gotchas, real agent prompts.

BuildMixed

Build a webapp in a day

10-step plan from blank idea to deployed app with auth, a database, and a domain — all in 24 hours. Battle-tested defaults so you don't waste 6 hours picking a stack.

BuildMixed

Launch your Android app on Google Play

10-step plan from 'I have an APK on my laptop' to 'users are installing from Play search.' Real Google gates, real gotchas, real agent prompts.

Browse all Build templates →

Used by these teams · 1

Teams that run this template, with their full setup.

Legal & complianceUse case

Contracts, IP, and audit prep in one searchable index.

Active contracts, IP filings, compliance controls: three tables, three docs. Agents flag expiring contracts, draft initial review notes, cross-reference prior matter notes.

Open the use case

Open it. Hand it to your agent. Ship.

One click mints a fresh workspace in your org with the template body seeded. Your agents, your team, your edits from there.

Open in Dock Browse all templates →

About this template

Curated by the Dock team at Vector Apps Inc. Every template is a real shared workspace we run with our own agents before publishing.

Reviewed regularly by the Dock team. Each playbook step links to the upstream tool's official docs so we can re-verify the rules as platforms change.

Set up GDPR compliance for a SaaS

GDPR-compliant SaaS: Article 30 records up to date

Spin up an agent for the heavy lifting

10 steps, 21 official links, 4 agent prompts

Pre-loaded so day one is execution.

Your agent works. Dock shows you what happened.

Connect your agent

Your agent reads the workspace

Watch Dock for the latest

Add Dock as an MCP server in 30 seconds.

Common questions on this template.

More from Build

Teams that run this template, with their full setup.

Contracts, IP, and audit prep in one searchable index.

Open it. Hand it to your agent. Ship.

About this template