How long does GDPR Implementation take?

GDPR is here. We hear a lot of companies wondering how long it takes to actually be compliant. This is the omnipresent question that you will find companies, executives and pretty much everyone else asking these days. So we decided to try and answer this question for you. We surveyed about 15 experts to help us answer this question. We'll now learn how long GDPR implementation takes according to the survey.

The first thing to realize is that compliance is a step by step process and depends on a number of factors like the number of employees and processing activities among others. Here are some basic assumptions that we have made:

1): We are excluding big multinational firms from this survey since they have complex structures and estimating the time for them would require extensive research into these structures.

2): The parameters around the size of the company that we have set for this blog is a small or medium-sized company with 50 to 250 employees in total.

3) We exclude financial, health, recruitment and market research companies since they are more complicated.

However, the experts whom we surveyed were able to tell us from the get-go that the amount of time needed to become GDPR compliant depends on a lot of different factors. Some of these are:

• Commitment to compliance
• Number and type of processes
• Number of vendors
• Type of data
• Knowledge
• Prior Processes
• Number of employees

Moreover, what everyone needs to understand is that GDPR implementation and its compliance is a step by step process that also requires long-term commitment and integration into the existing structures and processes of the company.

And let’s break down this big term into some basic, simple steps you can consider this as your GDPR implementation guide:

Step 1: Creating Records of Processing Activities

Keeping Records of Processing Activities (RPA) is a stipulation of Article 30 of the GDPR explicitly requiring businesses to document their processing activities and recording the processing purposes, data sharing, and retention. These records need to be made available upon the Information Commissioner’s Office (ICO). In short, every periodic step that the data is processed through has to be documented for the authorities.

This is of course, highly dependent on what the company actually does and its pertaining activities. For instance, a headhunter has sensitive data that they have to document. This could include the candidates’ names, current position, company, date of birth and many others. Every step that this data goes through has to be documented so that if the Data Subject inquires about how their data is used, the headhunter is ready to answer that.

Opinions of the experts whom we surveyed were quite dispersed and estimated that it could take on average 40 hours in this part of GDPR implementation.

Step 2: Evaluate the third parties

This is a critical step in being GDPR compliant and one that needs special attention since outsourcing and having several vendors is such an integral part of most businesses today. Vendor risk management (VRM) from a GDPR perspective is basically to make sure that all the services you use for your business do not violate your data protection regulations and create disruptions for you.

This, according to our experts, could take you on average 30 hours and depends again on the type of work your company does and the number of vendors you have.

Step 3: Data Protection Impact Assessment

Data Protection Impact Assessment refers to estimating the entire risk for the company and it pertaining operations. Essentially, it means that an external person helps the organization to identify, assess and minimize the risk of their processing activities. An overwhelming majority of the experts whom we surveyed were of the opinion that for an external consultant to do that for a client could take from 25 hours on average based on our GDPR implementation survey.

What happens after you become compliant?

If you thought it was a one-time thing, then you were…WRONG.

Because being compliant is a process which changes as your company grows, evolves and modifies its operations. It’s important to think of it as an ever-present goal for your company.

Our experts estimate the number of hours per year that you would need to keep complying would take on average 75 hours. Moreover, some of them were also of the opinion that the company’s Data Protection Officer (DPO) should actually calculate the hours based on the Data Protection Impact Assessment.

To conduct an annual Data Protection Audit, our experts were once again very divided. The average response came to about 10 days a year.

We think that automating your compliance process will actually save you a lot of hassle and will replace the external consultants that you would otherwise have to hire (the cost of which could be on average about 150 euros per hour, according to our experts). So in short, we suggest to really estimate the time you need in your pre-assessment holistically taking into account all your activities.  

GDPR checklist or Key takeaways:

1) If someone is cheaper than 100 euros per hour: think if they really want to sell their services or actually want you to be compliant?

2) Automating compliance will definitely make this GDPR compliance 5x faster since it will reduce the need for prior knowledge that you need to collect and assess

3) Having a software will also make compliance easier to manage in the future since you will be able to track your progress and be able to see what still needs to be done

4) Overall the GDPR project takes more than 200 hours if you have done nothing at all