The GDPR was born one year ago (on the 27th April, published on GUE on 4th May 2016) and many have not yet outlined an adjustment plan.
There is only one year left to comply to (the deadline is established on 25th May 2018).
Some data protection authority of each EU Member State have published some documents about how to adapt:
- The UK’s authority (ICO) 12 steps
- The French authority (CNIL) 6 steps (see also the article posted by Butti )
I tried to develop a plan, designed for a medium enterprise, which has dozens of treatments including sensitive data and personal data relating to criminal convictions and offences (art. 9-10 of GDPR), which already has a quality certification such as ISO 9001.
Obviously, the plan needs an adaptation to single realities: the estimate of the time is on average optimistic, but requires an evaluation for every specific situation.
To this end, I have not considered the problem of people saturation (over the allocation of many tasks in the same periods).
Therefore, I believe that only predecessor tasks are significant.
It seems to me that it is very challenging to comply within deadlines set.