Readiness Process

Sprint Timeline

The engagement follows structured phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake & Scoping Week 1

We start by understanding your processing landscape, data flows, and compliance context.

  • Processing activity inventory — catalog all processing activities across the organization
  • Lawful basis mapping — identify the legal basis relied on for each processing activity
  • Third-party processor review — map all processors and sub-processors handling personal data
  • Cross-border transfer assessment — identify all international data flows and current transfer mechanisms

2. Assessment Week 2–3

We evaluate your current data protection posture against GDPR requirements.

  • ROPA development — build or validate a comprehensive Record of Processing Activities
  • DPIA evaluation — identify processing activities requiring impact assessments and review existing DPIAs
  • Data subject rights workflow review — assess response procedures for all right types against 30-day timelines
  • International transfer mechanism assessment — evaluate adequacy of SCCs, BCRs, and other transfer safeguards

3. Outputs Week 3–4

We deliver the artifacts that define your path to GDPR accountability.

  • Gap register and remediation plan — every gap ranked by risk with owners and timelines
  • Privacy notice templates — GDPR-compliant notices for employees, customers, and website visitors
  • DPIA methodology framework — reusable methodology for conducting future impact assessments
  • Processor agreement templates — Article 28-compliant data processing agreement language

4. Follow-on Ongoing

After the readiness sprint, continued support ensures sustained compliance.

  • ROPA maintenance — ongoing updates as processing activities change
  • DPIA updates for new processing — impact assessments for new products, features, and vendor relationships
  • Transfer impact assessments — ongoing evaluation of international transfer mechanisms

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

Record of Processing Activities (ROPA)
Lawful basis documentation
Data subject rights procedures
DPIA methodology framework
International transfer assessment
Processor agreement review
Privacy notice templates
Remediation roadmap

Start Your Readiness Sprint

Most companies complete the readiness sprint in 3–4 weeks. The result is a clear, actionable plan to demonstrate GDPR accountability.

Get in Touch