56 days left until GDPR enforcement and we hear a lot of companies wondering how long it takes to actually be compliant. This is the omnipresent question that you will find companies, executives and pretty much everyone else asking these days. So we decided to try and answer this question for you. We surveyed about 15 experts to help us answer this question.

 

The first thing to realize is that compliance is a step by step process and depends on a number of factors like the number of employees and processing activities among others. Here are some basic assumptions that we have made:

1): We are excluding big multinational firms from this survey since they have complex structures and estimating the time for them would require extensive research into these structures.

2): The parameters around the size of the company that we have set for this blog is a small or medium-sized company with 50 to 250 employees in total.

3) We exclude financial, health, recruitment and market research companies since they are more complicated.

However, the experts whom we surveyed were able to tell us from the get-go that the amount of time needed to become GDPR compliant depends on a lot of different factors. Some of these are:

  • Commitment to compliance
  • Number and type of processes
  • Number of vendors
  • Type of data
  • Knowledge
  • Prior Processes
  • Number of employees

Moreover, what everyone needs to understand is that compliance is a step by step process that also requires long-term commitment and integration into the existing structures and processes of the company.

So take a deep breath…

And let’s break down this big term into some basic, simple steps:

 

Step 1: Pre-Assessment

So before you start going down the compliance path you need to take stock of what your current state of compliance with regards to the General Data Protection Regulation (GDPR) framework actually looks like. The pre-assessment depends heavily on the size of your company and the processes you have. The aim is usually to figure out the resource commitment that your company needs to actually comply.

Through our survey we found out that half of the experts whom we surveyed estimated that for a company between 50 and 250 employees, it would take on average 15 hours to complete a pre-assessment.

The important thing to remember here, is that setting the scope and ensuing commitment to your assessment as well as the extent of prior knowledge you have will play a determining role in how long pre-assessment will take.

 

Step 2: Creating Records of Processing Activities

Keeping Records of Processing Activities (RPA) is a stipulation of Article 30 of the GDPR explicitly requiring businesses to document their processing activities and recording the processing purposes, data sharing and retention. These records need to be made available upon the Information Commissioner’s Office (ICO). In short, every periodic step that the data is processed through has to be documented for the authorities. If you are confused about the RPA, you can check out this video and get this cleared out.

This is of course, highly dependent on what the company actually does and its pertaining activities. For instance, a headhunter has sensitive data that they have to document. This could include the candidates’ names, current position, company, data of birth and many others. Every step that this data goes through has to be documented so that if the Data Subject inquires about how their data is used, the headhunter is ready to answer that.

 

Opinions of the experts whom we surveyed were quite dispersed and estimated that it could take on average 40 hours.

 

Step 3: Evaluate the third parties

This is a critical step in being GDPR compliant and one that needs special attention since outsourcing and having several vendors is such an integral part of most businesses today. Vendor risk management (VRM) from a GDPR perspective is basically to make sure that all the services you use for your business do not violate your data protection regulations and create disruptions for you.

This, according to our experts, could take you on average 30 hours and depends again on the type of work your company does and the number of vendors you have.

 

Step 4: Data Protection Impact Assessment

Data Protection Impact Assessment refers to estimating the entire risk for the company and it pertaining operations. Essentially, it means that an external person helps the organization to identify, assess and minimize the risk of their processing activities. An overwhelming majority of the experts whom we surveyed were of the opinion that for an external consultant to do that for a client could take from 25 hours on average.

 

What happens after you become compliant?

If you thought it was a one-time thing, then you were…

Because being compliant is a process which changes as your company grows, evolves and modifies its operations. It’s important to think of it as an ever-present goal for your company.

Our experts estimate the number of hours per year that you would need to keep complying would take on average 75 hours. Moreover, some of them were also of the opinion that the company’s Data Protection Officer (DPO) should actually calculate the hours based on the Data Protection Impact Assessment.

To conduct an annual Data Protection Audit, our experts were once again very divided. The average response came to about 10 days a year.

We think that automating your compliance process will actually save you a lot of hassle and will replace the external consultants that you would otherwise have to hire (the cost of which could be on average about 150 euros per hour, according to our experts). So in short, we suggest to really estimate the time you need in your pre-assessment holistically taking into account all your activities.  

Key takeaways:

1) If someone is cheaper than 100 euros per hour: think if they really want to sell their services or actually want you to be compliant?

2) Automating compliance will definitely make this GDPR compliance 5x faster since it will reduce the need for prior knowledge that you need to collect and assess

3) Having a software will also make compliance easier to manage in the future since you will be able to track your progress and be able to see what still needs to be done

4) Overall the GDPR project takes more than 200 hours if you have done nothing at all

“Execution is key but endangered by overthinking.” (Lisa, Scalable Capital)

Book a Demo with us to learn more about how we can help you comply!

Some of the experts helped us to collect this data and wished to be mentioned here. If you want to connect with the experts, feel free to contact them on LinkedIn:

Christian Schmoll, g3s Rechtsanwälte

Jodi Daniels, Red Clover Advisors

Lisa Gradow, Scalable Capital

Mandy Webster of Data Protection Consulting Limited