How long GDPR compliance takes (and what compressing the timeline costs).
Calendar and cost interact directly. A 6-month programme done in 3 months runs 1.4-1.8x the natural cost. A 6-month programme stretched to 12 runs 0.85-0.95x the natural cost but at the price of programme momentum. Realistic timelines, the compression curve, and the phase-by-phase shape.
Realistic timelines by company size and maturity
| Profile | Realistic first pass | What drives the calendar |
|---|---|---|
| SME (10-50), no prior programme | 4 - 6 months | Stakeholder availability, supplier remediation cycles |
| SME with prior privacy programme | 3 - 4 months | Documentation completion and gap remediation |
| Mid-market (50-500) | 9 - 18 months | Multi-entity scope, supplier contract remediation, ROPA build |
| Mid-market with ISO 27001 | 6 - 12 months | Privacy-specific layer dominates calendar |
| Federated enterprise (500+) | 18 - 36+ months | Multi-jurisdiction harmonisation, rolling implementation |
The compression cost curve
A natural-pace 6-month programme that needs to ship in 3 months typically costs 1.4-1.8x the natural budget. The cost inflators are: more consultancy days deployed in parallel (day rates dominate), more parallel workstreams (coordination overhead grows superlinearly), and more remediation work being addressed without full discovery time (typically requiring rework).
A natural-pace programme stretched from 6 to 12 months costs slightly less in absolute spend (0.85-0.95x) but loses programme momentum. The risk is incompletion: stretched programmes tend to settle into “ongoing” without ever being declared done.
The phases
- Discovery (3-6 weeks): data flow walks, processor inventory, lawful basis catalogue, current-state documentation review. Held up by stakeholder calendars more than anything.
- Gap analysis (2-4 weeks): structured comparison of current state to obligation set, prioritised findings list, recommended remediation plan with cost and time estimates.
- Remediation (8-26 weeks): the longest phase. Held up by supplier contract remediation cycles, internal engineering backlogs, and DPIA backlog clearance. The phase that compression cost most affects.
- Documentation (4-8 weeks): policies, ROPA, DPIA framework, breach playbook, transfer mechanism stack, customer-facing privacy notice. Often runs in parallel with remediation.
- Training rollout (2-6 weeks): content selection, scheduling, delivery, evidence retention. Volume scales with headcount.
- Audit (2-6 weeks): internal or external; remediation discoveries during audit can extend the cycle.
- Ongoing: monitoring, retraining, surveillance audits, regulatory updates. See the year 2 onwards page.
What teams underestimate
Stakeholder calendars are the single most common source of slippage. A weekly working session with seven cross-functional stakeholders runs into school holidays, conference travel, and quarter-end pressure faster than the plan reflects. Supplier contract remediation cycles are the second; the supplier’s legal team has its own queue. Evidence collection is the third; everyone underestimates the time. Training rollout is the fourth; getting 200 people to complete an e-learning module takes longer than scheduling the kickoff suggests.