UK SaaS compliance checklist: VAT, GDPR and a pragmatic roadmap for startups

Part 1: Navigating UK SaaS VAT Obligations

For UK SaaS founders, compliance often feels like a significant distraction from building a product and winning customers. The two areas causing the most confusion are managing money and data, specifically Value Added Tax (VAT) and the General Data Protection Regulation (GDPR). This guide provides a pragmatic roadmap to master your UK SaaS compliance requirements, translating complex rules into actionable steps for startups from pre-seed to Series B.

Value Added Tax is a sales tax applied to most goods and services, and for a software company, your recurring subscriptions are treated as services. The complexity arises because the rules change depending on where your customer is located. Understanding your SaaS VAT obligations, particularly the different treatment for UK customers versus business-to-consumer (B2C) sales into the European Union, is fundamental to scaling without creating future financial headaches. Getting this right early on saves significant time and prevents potential penalties.

When Do I Need to Register for VAT?

You are not required to handle VAT from day one, but you must monitor your sales to know when you cross specific registration thresholds. There are two separate numbers to track, and the second one often comes as a surprise.

First is the domestic UK threshold. According to HMRC, the "UK Domestic VAT Threshold: £85,000 in a rolling 12-month period." This applies to your revenue from UK-based customers. It is not based on a calendar year, so you must monitor this figure by looking back over the previous 12 months at the end of each month.

Second is the threshold for digital services sold to EU consumers. The "EU Digital Services VAT Threshold: €10,000 for total B2C sales across all 27 EU member states." This threshold is much lower and applies to the combined sales to consumers in all EU countries. For a SaaS startup with a £49 per month plan, it would only take around 17 B2C customers across the entire EU to cross this threshold in a year. This lower limit catches many founders off guard and is a critical part of any UK tech compliance guide.

How Do I Handle VAT Once I Cross a Threshold?

When you cross a VAT threshold, the two paths diverge into a Do-It-Yourself (DIY) approach or using a managed solution. The right choice depends on your team's resources and your product's global reach.

1. The DIY Path: Direct Registration

This approach involves registering directly with tax authorities. For UK VAT, you register with HMRC and submit quarterly returns. A key part of these UK SaaS regulations is that "UK VAT filing must be done using 'Making Tax Digital' (MTD) compatible software." Modern accounting platforms like Xero are designed for this. For EU VAT on B2C sales, you can use the "One-Stop-Shop (OSS) scheme," which allows you to file a single return for all 27 EU member states, avoiding the need to register in each country individually.

2. The Managed Path: Merchant of Record (MoR)

A Merchant of Record service, such as Paddle or Lemon Squeezy, acts as a reseller of your software. They handle the entire customer transaction, including calculating, collecting, and remitting all relevant sales taxes and VAT globally. In exchange, they charge a higher transaction fee than a simple payment processor like Stripe. The choice is a trade-off: higher operational cost for the near-total removal of the compliance burden, which is often a worthwhile investment for a small team focused on growth.

Part 2: A Practical Guide to GDPR for SaaS Startups

Beyond financial rules, software company legal requirements in the UK extend deeply into data handling. The General Data Protection Regulation (GDPR) governs how you collect, process, and store personal data. While its reputation is intimidating, the goal for a startup is not immediate perfection but achieving 'Minimum Viable Compliance' that respects user rights and satisfies the regulator.

The "Information Commissioner's Office (ICO) is the UK's data protection authority," and its expectations for a small business are proportionate to its size and resources. The focus should be on implementing foundational, common-sense processes for SaaS data protection UK.

What Does 'Good Enough' GDPR Look Like for a Startup?

For an early-stage company, understanding what 'good enough' looks like means covering the basics without hiring expensive consultants. Your initial GDPR for SaaS startups checklist should include four key actions.

1. Register with the Regulator: It is a legal requirement for most UK businesses that process personal data to register with the ICO. The "Annual ICO registration fee for most small businesses is between £40 and £60," making this a simple and inexpensive first step to demonstrate compliance.
2. Implement Lawful Consent: This means no pre-ticked boxes for marketing emails or non-essential cookies on your website. Consent must be an active, unambiguous opt-in choice from the user. You should review the settings in your analytics and marketing tools, such as Google Analytics or Intercom, to ensure they align with this principle.
3. Publish Clear Policies: Use a service like iubenda or Termly to generate a compliant privacy policy and cookie policy. These documents should be easy for users to find and understand, explaining what data you collect, why you need it, and how long you store it.
4. Prepare for Data Subject Rights: Under GDPR, users have the right to request a copy of their data (a Subject Access Request) or ask for its deletion. You do not need a complex automated system at first, but you must have a simple, documented internal process for how your team will handle a request when it arrives, typically within one month.

Your Phased UK SaaS Compliance Requirements Roadmap

Your compliance work can be broken down into manageable stages. It is not about doing everything at once but taking the right action at the right time as your business grows.

Stage 1: Day One Essentials

Before you even have customers, handle the data basics. Register with the ICO online; it takes minutes. Use a policy generator to get your privacy and cookie policies live on your website. This establishes a baseline of good practice from the start.

Stage 2: As You Start Generating Revenue

Once you begin making sales, use your accounting software, such as Xero, to create reports that monitor UK sales and EU B2C sales separately. At the end of each month, check your rolling 12-month totals against the £85,000 UK and €10,000 EU thresholds.

Stage 3: Approaching a VAT Threshold

When you are approaching a threshold, make a clear decision. For the EU's €10,000 limit, decide whether you will use a Merchant of Record or register for the OSS scheme. For the UK's £85,000 limit, begin the HMRC registration process. Acting before you cross the line prevents a last-minute rush and ensures your UK SaaS compliance requirements are met proactively. For more detail, see the compliance checklist hub.

Frequently Asked Questions

Q: Do I need to charge UK VAT to customers outside the UK?

A: Generally, no. For B2B sales, the 'place of supply' is where your customer is based, so UK VAT does not apply. For B2C sales outside the UK, you must follow the local tax rules of your customer's country, such as the EU OSS scheme for consumers in Europe.

Q: What is the difference between a privacy policy and a cookie policy?

A: A privacy policy is a comprehensive document explaining all the ways your company collects, uses, and protects personal data. A cookie policy is more specific, detailing only the cookies your website uses, their purpose, and how users can manage their consent for them.

Q: Does GDPR apply if my SaaS only serves B2B customers?

A: Yes. GDPR protects the data of individuals, not companies. Information like a business email address (e.g., name.surname@company.com) or a work phone number is considered personal data. Therefore, you must handle your B2B customer contact information with the same care as B2C data.