May 25, 2026 marks 10 years of GDPR. The European Data Protection Board (EDPB) published an official balance where 31 European data protection authorities mark the milestones of the first coordinated framework at continental level. Beyond the anniversary, this date serves to do an operational balance: what really changed in practice for small SaaS, which obligations loosened, which tightened, and where the next four years are pointing with DSA, DMA, and AI Act already in production.
What GDPR really changed for your SaaS
1. Burden of proof shifted sides
Before 2018, proving a company mishandled your data was the user's job. After GDPR, proving they handle it properly is the company's job. For a small SaaS this means any complaint arrives with adverse presumption, and internal documentation (records of processing, legal basis, retention) moves from "good practice" to evidentiary defense.
2. Privacy by design stopped being a label
GDPR Article 25: privacy by design and by default. Sounds abstract but operates concretely: any new feature should arrive at sprint with the question "what personal data does it touch" answered. SaaS that add this question to their PR template save costly audits down the road.
3. Consent banner became infrastructure
What in 2018 was a discreet footer is today a component with SDK, version log, and visible diff. Consent that doesn't record which policy version the user saw isn't defensible in a complaint.
What loosened (and why)
| Aspect | Practical change |
|---|---|
| DPO designation | Still mandatory in many cases but SMEs have clarified a lot when it applies (systematic large-scale processing, sensitive data) |
| Breach notification | The 72h deadline stands, but guidance on what to notify and what not has stabilized after 8 years of practice |
| International transfers | The 2021 Standard Contractual Clauses (SCC) simplified agreements with non-EU providers |
What tightened
| Aspect | 2026 reality |
|---|---|
| Effective fines | Total accumulated fines exceed 5 billion euros since 2018; regulators are less patient with repeat cases |
| Coordination between authorities | Cross-border cases now process in weeks, not years; EDPB cooperation accelerates |
| Cookie and tracker surveillance | Spanish and French regulators lead specific fines on poorly-implemented banners |
| Article 32 (security) compliance | After several high-profile cases, minimum technical measures are less optional |
GDPR no longer operates alone. It coexists with the Digital Services Act, Digital Markets Act, and AI Act. For a SaaS, this means compliance is no longer "we did the GDPR thing, we passed". It's a map of crossed obligations requiring continuous update.
The three trends coming from here
1. Convergence with the AI Act
Data protection and AI regulation converge. Classic GDPR DPIAs extend to high-risk AI systems. If your SaaS uses AI to process personal data (recommendations, scoring, automated decisions), prepare to review all your policies in the next 18 months.
2. Consent banner standardization
The EDPB is pushing toward more uniform consent banner patterns. Symmetric "Accept / Reject" options stop being a recommendation and become a requirement in several markets.
3. More frequent audits on small SaaS
Spain's AEPD reported 30,931 complaints in 2025, 64% more than the previous year. The threshold for an authority to audit is no longer "only large corporations"; medium-sized SaaS are entering the radar.
What to do in your SaaS in the next 90 days
- Internal audit of legal bases: verify each personal data flow has a documented GDPR basis (consent, contract execution, legitimate interest, etc.).
- Update your Privacy Policy with DSA/DMA if they apply: new thresholds and obligations that weren't there in 2024.
- Implement visible version history on your policies: essential to defend against complaints.
- Review international transfers: contracts with non-EU providers need current SCC.
- Map AI features and prepare updated DPIA for those classifying as high-risk under AI Act.
"GDPR has established itself as the first comprehensive data protection framework across an entire continent, reshaping European digital reality and inspiring similar regulations globally" (synthesis of the official balance from the EDPB on its 10th anniversary).
Conclusion
Ten years of GDPR show a clear pattern: compliance stopped being a formality and became infrastructure. For small SaaS starting in 2026, the good news is that tools are mature; the bad is that demands are too. The difference between the SaaS that passes an audit without stress and the one forced to halt operations is the quarterly discipline of keeping policies, consent, and records current.
If you want to centralize privacy policy, cookie policy, ToS, and version records of multiple projects in a single dashboard, Termerly is free and covers the four jurisdictions (GDPR, CCPA, LGPD, PIPL) from day one.
