Data Protection

You Have International Users. That Means You Have International Legal Obligations.

You Have International Users. That Means You Have International Legal Obligations.
24
Apr

Here is something most founders discover too late: data protection law does not follow your company. It follows your users.

You might be incorporated in India, operating from Dubai, with your servers on AWS in Singapore. But the moment a user in Germany signs up for your product, the EU’s General Data Protection Regulation applies to how you handle their data. The moment a California resident subscribes to your SaaS tool, the California Consumer Privacy Act has something to say about your data practices. Your incorporation country is irrelevant to this calculation. The user’s location is everything.

This is not a theoretical risk. It is the most common and most overlooked compliance gap in globally-facing startups right now. And in 2026, with regulators actively enforcing across jurisdictions and enterprise buyers demanding compliance documentation before signing contracts, it has become a commercial problem as well as a legal one.

This guide breaks down the key data protection frameworks that affect international founders, explains what triggers each one, and gives you a practical checklist to work through before your next enterprise deal or funding conversation.

Why Location of Incorporation Does Not Protect You

The foundational principle behind modern data protection law is territorial reach based on the data subject’s location, not the data controller’s. This is the design choice that makes GDPR apply to a startup in Bangalore serving users in Munich. It is also what makes India’s DPDP Act relevant to a company in London that processes data of Indian residents.

Most founders understand this intellectually but have not acted on it structurally. They have a privacy policy that mentions GDPR, a cookie banner that is technically present, and a belief that this is probably sufficient. For most regulators, and certainly for enterprise procurement teams, it is not.

The Key Data Protection Frameworks and What Triggers Each One

GDPR: European Union

The GDPR applies to any organisation that targets EU residents or monitors their behaviour, regardless of where the organisation is located. It requires a lawful basis for every processing activity, explicit consent mechanisms, and the ability to respond to data subject access requests. Breach notification must reach the relevant supervisory authority within 72 hours of discovery. Fines for non-compliance can reach €20 million or 4% of global annual turnover, whichever figure is higher. For cross-border data transfers, Standard Contractual Clauses remain the most widely used mechanism for transfers to countries without an adequacy decision.

CCPA and US State Laws: United States

The California Consumer Privacy Act gives California residents the right to know what data is collected about them, the right to delete it, and the right to opt out of its sale. As of 2026, more than 20 US states have enacted comprehensive data privacy laws with varying thresholds, consumer rights, and penalty structures. These laws generally apply based on the volume of consumer data processed or the percentage of revenue derived from data sales, not on the geographic location of the company. A SaaS platform serving US customers needs to audit which state frameworks apply based on its actual user base.

DPDP Act: India

India’s Digital Personal Data Protection Act applies to the processing of digital personal data within India and also covers foreign entities offering goods or services to data principals residing in India. It gives individuals rights to consent, access, and correction of their data, and contains specific provisions around cross-border data transfers and the processing of children’s data. Phase 2 and Phase 3 of the Act’s rollout are active in 2026, meaning enforcement is no longer a future consideration.

PIPEDA: Canada

Canada’s Personal Information Protection and Electronic Documents Act takes a principles-based approach requiring organisations to obtain consent for data collection, limit collection to what is necessary, and ensure comparable levels of protection when data is transferred internationally. Unlike the GDPR, PIPEDA does not allow the Privacy Commissioner to impose direct fines, but severe violations can result in federal prosecution with penalties reaching CAD 100,000 per violation.

LGPD : Brazil

Brazil’s Lei Geral de Proteção de Dados applies to any organisation that processes data within Brazil, offers goods or services there, or collects data on individuals located in Brazil. It mirrors many GDPR principles including lawful bases for processing, data subject rights, and data transfer restrictions. Brazil and the EU reached a mutual adequacy decision in January 2026, allowing freer data flows between the two jurisdictions. For transfers to countries without adequacy, Standard Contractual Clauses are now mandatory.

PIPL: China

China’s Personal Information Protection Law applies to domestic and foreign entities that process data on individuals in China. It requires explicit consent, data minimisation, and strict controls on cross-border transfers, which typically require a government security assessment or standard contracts approved by Chinese authorities. For founders serving Chinese users or operating with Chinese partners, PIPL creates some of the most demanding compliance requirements of any jurisdiction globally.

What Enterprise Clients Are Actually Asking For in 2026

The commercial reality is that data compliance has become a sales requirement. Enterprise procurement teams in the US, EU, and UK routinely ask for evidence of GDPR compliance, Data Processing Agreements, and third-party security assessments before contracts are signed. Deals stall or die not because the product is wrong but because the compliance documentation does not exist.

A Data Processing Agreement is a specific legal document required under GDPR and expected by most enterprise buyers globally. It defines how your company processes the client’s data, what security measures are in place, what happens in a breach, and what your sub-processors are permitted to do. Without a signed DPA, most enterprise clients in regulated industries will not proceed.

The International Data Compliance Checklist for Founders

Work through this before your next enterprise deal, investor meeting, or market expansion.

Step 1: Map Where Your Users Actually Are

  • Identify every country and US state where your users or customers are located, not just where they signed up from.
  • Cross-reference that list against the data protection frameworks above to determine which laws currently apply to your product.
  • Identify any markets you plan to enter in the next 12 months and research the applicable data laws before you expand.
  • If you have users in China or process Chinese personal data, get specific PIPL legal advice before going further — this framework has unique requirements that generic compliance approaches do not cover.

Step 2: Audit Your Data Flows

  • Document every category of personal data your product collects — names, emails, payment details, usage data, location data, device identifiers.
  • Map where each data category is stored and processed, including third-party tools (analytics platforms, CRMs, email tools, cloud infrastructure).
  • Identify every third-party sub-processor that has access to personal data and check that a Data Processing Agreement exists with each one.
  • Note any cross-border data transfers and confirm that a lawful transfer mechanism exists for each one — adequacy decision, Standard Contractual Clauses, or other approved mechanism.

Step 3: Review Your Legal Documents

  • Privacy Policy: Does it accurately describe the data you collect, the lawful basis for processing, and user rights under each applicable framework? If it was written more than 12 months ago, it almost certainly needs updating.
  • Terms of Service: Do they accurately reflect how your product works today, including any AI features, user-generated content, or third-party integrations added since the original draft?
  • Data Processing Agreement template: Do you have one ready to send to enterprise clients who request it? It should cover processing purposes, security measures, sub-processors, breach notification timelines, and data deletion obligations.
  • Consent mechanisms: Are your cookie banners, signup flows, and marketing opt-ins compliant with the specific requirements of GDPR (opt-in), CCPA (opt-out), and other applicable frameworks?

Step 4: Build Your Operational Compliance Infrastructure

  • Data Subject Access Request process: Can you respond to a user requesting access to, correction of, or deletion of their data within the required timeframes — 30 days under GDPR, shorter under some frameworks?
  • Breach notification process: Do you have a documented incident response plan that covers the 72-hour GDPR notification requirement and the equivalent requirements under other applicable frameworks?
  • Data retention policy: Do you have defined retention periods for each category of data you hold, and a process for deleting data when it is no longer needed?
  • EU or UK representative: If you process EU or UK resident data without a physical presence in those jurisdictions, GDPR may require you to appoint a local representative. Check whether this applies to your situation.

Step 5: Before Every New International Deal

  • Before onboarding a new enterprise client in a new jurisdiction, identify which data protection laws apply to that client relationship specifically.
  • Ensure a signed DPA is in place before processing any of the client’s customer data.
  • If their vendor questionnaire asks for compliance certifications you do not have, address the gap before the contract is signed, not after.
  • Confirm that your liability clauses, indemnification provisions, and data breach responsibilities in the client contract reflect the specific regulatory environment you are operating in.

The Bottom Line for Global Founders

Data privacy compliance is not a one-time task. It is a function of where your users are, what your product does with their data, and how the regulatory landscape in each jurisdiction evolves. In 2026 that landscape is moving faster than most founders can track without dedicated support.

The founders who get this right are not the ones with the most resources. They are the ones who mapped their obligations early, built the documentation that enterprise clients expect, and treated data compliance as part of the product rather than something bolted on before a deal closes.

The checklist above is your starting point. Work through it honestly. The gaps you find are the ones worth fixing before your next investor conversation, your next enterprise deal, or your next market expansion.

Need Help Navigating International Data Compliance?

My Legal Pal works with founders building globally from India, the UAE, the UK, and beyond. We help startups understand which data protection frameworks apply to their specific product and user base, draft privacy policies and DPAs that enterprise clients actually accept, and build the legal infrastructure that lets you close deals faster.

If you are dealing with an international client asking for compliance documentation you do not have, or expanding into a new market and unsure what your obligations are, visit mylegalpal.com to speak to our team.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Data protection laws vary by jurisdiction and are subject to frequent change. Please consult a qualified legal professional before making compliance decisions.

My Legal Pal Team

The My Legal Pal Team is a group of dedicated legal professionals with experience across corporate, commercial, and technology law. The team brings together experts in contracts, intellectual property, data protection, employment law, venture capital, and dispute resolution. Each member contributes practical insights drawn from real client work, ensuring that every piece of content is accurate, helpful, and easy to understand. The team is led by Prakhar Rai, a corporate and technology lawyer known for his work with startups, SMEs, and global businesses. Prakhar has extensive experience in contract drafting, intellectual property management, data protection compliance, venture capital transactions, and white-collar crime matters. He holds a Master of Business Laws from the National Law School of India University, Bangalore, and has advised clients across India, Dubai, the USA, Australia, and Singapore.

Leave a Reply

Your email address will not be published. Required fields are marked *