Determine if GDPR applies to you
1 hr
User profile (email, name, org)
Lawful basis: contract performance. Retention: account lifetime + 30 days.
Data export request. Fulfilled in 14 days. JSON dump emailed.
Build the data inventory (Article 30 records of processing)
1-3 days (most of it auditing what you actually collect)
Account deletion request. Cascading delete + 30-day retention period before purge.
Usage analytics (anonymized)
Lawful basis: legitimate interest. PostHog with IP truncation.
Write the privacy notice (and host it at /privacy)
1-2 days
Billing data (Stripe)
Stripe is the controller; we only get customer IDs.
Data export request from EU customer. 30-day clock starts now.
Sign DPAs with every sub-processor
1-2 days
Support emails
Lawful basis: legitimate interest. Retention: 2 years post-resolution.
Account deletion request. Cascading delete + 30-day retention period.
Build the DSAR (data subject access request) intake process
1 week to build, ongoing thereafter
Data correction request rejected: requested change would falsify audit log.
Implement cookie consent + tracking consent
2-3 days
Run a DPIA (Data Protection Impact Assessment) for high-risk processing
2-3 days when triggered
Set up the breach response process (72-hour clock)
1-2 days
Appoint an EU representative (if non-EU based) and consider a DPO
1 day
Train the team + maintain the program
Ongoing, ~2 hours/month after setup