Corrective Measures for GDPR:  How much time should you allot to achieve compliance?

Captivea LLC, Sébastien RISS

If there is any one question that businesses are asking themselves at the start of 2018, it is this: do I still have time to achieve GDPR compliance? If you still haven't started, don't worry; you should be aware that 81% of businesses will not have achieved GDPR compliance by May 2018.

Nevertheless, that doesn't mean that you should wait until the last minute. The earlier you start, the better it will be. In the unlikely event that you are investigated in June, the important thing is to be able to demonstrate that you have started taking steps. Let's therefore work together to determine the schedule for the first few phases of achieving compliance.  


Odoo CMS - a big picture

 GDPR Compliance Schedule: Initial Audit 0-3 Months

In the first instance, get in touch with an IT service provider. This provider will support you throughout the process of achieving compliance.

Then, put together your project team: Data Processor, DPO, operations manager, etc. To learn more, don't hesitate to read our article entitled "Roles under GDPR: to whom should they be assigned?"

Then, send the entire team on a training course (if you've selected your service provider correctly, this should be offered as a matter of course). Allow two days to be properly prepared

and to gain an insight into all GDPR-related challenges.

Finally, working in partnership with your IT service provider, think about auditing your first system. ERP, CRM, e-mail: work together to determine which is most relevant.

In parallel with this activity, anticipate the actions to be taken with your service provider, raise awareness with all your employees, and issue communications on the process to your customers, etc.

Corrective Measures: 6-12 Months over the longer term

Obviously, over the longer term, you will have an entirely different series of tasks to complete in parallel, with the support of your IT and legal partners. Here are the principles:

 -The audit element encompasses process mapping, impact assessments and management of individual rights. Allow between one and three months worth of work per system
- Definition of the action plan includes setting priorities, allocating corrective budgets and specifying a schedule for the corrective measures to be completed. Allow three to six months, depending on the audit results.
-The more administrative stakeholders - i.e., the legal advisers in respect of data subjects' rights and GDPR documentation. This implies that you need to review the entirety of your existing policies and procedures in relation to data protection, as well as your mandatory texts, and compile all GDPR-related documentation. Allow six to twelve months.

In conclusion, allow at least a year to complete all corrective measures in relation to your IT and your administrative processes (contracts, forms, and other documentation) which arise as a result of the various audits undertaken. Of course, GDPR-related activities won't stop there! Compliance with the Regulation is a process that needs to become inherent in your business activities over the long term.

Discover our White Paper GDPR.