HomeResources › How to Structure a Privacy Programme in 90 Days

How to Structure a Privacy Programme in 90 Days

How to structure a privacy programme in 90 days — a GDPR guide for DPOs and privacy governance

How to structure a privacy programme in 90 days?

Setting up a privacy programme in 90 days may seem ambitious, but it is perfectly possible when the aim is not simply to ‘tick off the GDPR in an Excel spreadsheet’, but rather to establish a realistic, documented and sustainable governance framework. The GDPR applies to the processing of personal data by organisations established in the EEA or targeting individuals in the EU, and requires not only substantive compliance but also the ability to demonstrate it. This accountability framework includes, amongst other elements, data protection by design and by default, records of processing activities and, where applicable, impact assessments.

Many organisations start too late, or start from the wrong end. They rush into generic policies, templates copied from the internet or cookie banners, when they do not yet know what data they process, why, for how long, with which suppliers, in which systems, and what the risks are. The result is usually predictable: disjointed documentation, low internal buy-in, slow responses to data subjects’ requests, and difficulties in justifying decisions to clients, partners, auditors or the supervisory authority.

A robust privacy programme is not just a document. It is a system for decision-making, control and accountability. It must link governance, operations, technology, risk, legal, HR, marketing and suppliers. In practical terms, this means that, after 90 days, the organisation should have: defined roles, a usable inventory of data processing activities, clear priorities, minimum procedures in place and an improvement plan for areas that are not yet fully developed.

What should be in place by the end of the 90 days

If the programme is well designed, the first 90 days should lay the operational foundations, not merely create the illusion of compliance. The ideal outcome is not that ‘everything is complete’; rather, it is that ‘the governance, methodology, evidence and capacity for implementation are already in place’.

In practice, this means having at least five stabilised areas. First, governance: management sponsorship, clear responsibilities and a decision-making process. Second, visibility: knowing what data processing operations exist, where the data is located, who has access to it and which suppliers are involved. Third, documentation control: policies, notices, records, legal bases and retention rules that are sufficiently aligned with reality. Fourth, operational response: knowing how to handle requests to exercise rights, personal data incidents and new initiatives requiring prior analysis. Fifth, continuous improvement: metrics, training, a remediation plan and periodic review.

The GDPR expressly requires organisations to keep records of processing activities, to respond to data subjects’ requests within one month as a general rule, to implement technical and organisational measures appropriate to the risk, and to carry out a DPIA where the processing is likely to result in a high risk to the rights and freedoms of individuals. It also requires organisations to be able to demonstrate compliance.

Before you begin: appointing leadership and defining the model

No privacy programme works without someone in charge. Even where there is a DPO, this does not mean that the DPO ‘does everything’. The DPO advises, supports, monitors and acts as a point of contact; responsibility for compliance remains with the organisation. The DPO must be involved at an early stage, report to the highest level of management and act independently, without any conflicts of interest. They may be internal or external, provided they possess the appropriate skills and qualifications.

This is precisely where many companies waste time. They appoint someone who isn’t actually available, pile the role onto incompatible positions, or treat privacy as a matter exclusively for the legal or IT departments. Instead, the initial phase should clarify four key points:

1. Who sponsors the programme.
Without management support, privacy becomes nothing more than a collection of ignored requests.

2. Who decides.
A small committee or validation process should be established, involving management, operations, IT/security, HR, marketing and procurement, in line with the company’s specific circumstances.

3. Who is responsible.
Not everything needs to go through the DPO. There should be a network of internal contacts for each process or area.

4. How risk is assessed.
When there is a new treatment, incident, critical supplier or significant concern, who validates it, within what timeframe and using what criteria?

If this structure becomes clear right from the first week, the rest of the plan will move forward more quickly.

Days 1 to 30: create visibility and minimal control

The first month should be used to replace guesswork with facts. At this stage, the main aim is to understand how the organisation handles personal data in practice.

Start by interviewing the departments with the highest volume of data: HR, sales, marketing, customer service, procurement, IT, operations and management. Don’t aim for perfection; aim for a clear overview. What are the key processes? What categories of data are involved? Who are the data owners? What systems are used? Is data transferred to suppliers? Are decisions automated? Is there any sensitive data? Are there defined retention periods?

This forms the basis for the record of processing activities. The record should not be a bureaucratic formality created simply for the sake of having one. It should be a management tool. It should help to provide quick answers to key questions: why we process this data, on what legal basis, where it is stored, who has access to it, how long it is retained, and what security measures are in place. The EDPB specifically highlights the usefulness of the record in providing visibility into operations, and points out that, even for organisations with fewer than 250 employees, the legal exemption is narrower than is often assumed.

At the same time, it is advisable to carry out a document inventory. Gather everything that already exists: external privacy policy, internal notices, contracts with subcontractors, confidentiality clauses, retention policies, forms, incident procedures, consents, access matrices, risk assessments. In many companies, half the work in the first 30 days involves tracking down scattered documents and identifying what has already been partially completed.

In this first section, it is worth setting up three basic mechanisms:

  • an internal form for recording new treatments or relevant changes;
  • a box or workflow for account holder requests;
  • a simple incident escalation process.

This ensures that the presentation isn’t limited to PowerPoint.

Days 31 to 60: turning the diagnosis into operational guidelines

In the second month, the priority shifts from mapping to organising. This is when the programme begins to take on a practical form.

The first step is to align legal frameworks, purposes and privacy notices. Many organisations have lengthy but vague policies, whilst actual processes use data for purposes that are not clearly reflected in the information provided. Transparency and data subjects’ rights require clear, comprehensible and useful communication. The data controller must facilitate the exercise of these rights, respond within one month as a rule, and keep a record of requests and responses.

In practice, over the course of these 30 days, you should review at least:

  • website notices and forms;
  • job advertisements;
  • information for staff;
  • consent forms, where applicable;
  • contractual information relating to data processing.

The second step is to formalise rules for data retention and disposal. A credible privacy programme does not rely on the principle of ‘keeping data just in case it might be needed’. There must be a simple framework setting out: document category, purpose, legal basis, retention period, the event triggering the start of the retention period, final destination and the person responsible. This not only reinforces the principle of data minimisation but also reduces operational risk and unnecessary data volumes.

The third step is to review the chain of subcontractors and suppliers. Wherever there is payroll, cloud services, CRM, technical support, marketing automation, ticketing, video conferencing or external archiving, data is usually processed by third parties. The programme needs a clear overview of who processes data on behalf of the organisation, what safeguards are in place, what the terms of the contract are, and the level of sensitivity involved. Even when a contract is already in place, effective control is not always ensured.

The fourth step is to strengthen the security and incident management framework. The GDPR requires measures proportionate to the risk, and security must safeguard confidentiality, integrity and availability. It is not enough simply to ‘have antivirus software’. It is necessary to understand risks, access controls, backups, authentication, updates, user profiles, logs, devices, procedures and awareness-raising.

Days 61 to 90: prioritise risk, test the response and finalise the roadmap

The third month marks the point at which the project has reached a minimum level of maturity. At this stage, the programme should transition from a documentation phase to a decision-making process.

The main focus should be on three areas.

1. Integrate privacy by design

New projects, new suppliers, new apps, new forms, new campaigns or technological integrations cannot go live without a minimum privacy check. The principle of data protection by design and by default requires precisely this: that the organisation considers necessity, proportionality, data minimisation, access rights and risks both before and during processing.

In practice, all you need to do is start with a short internal questionnaire, for example:

  • what data will be processed;
  • for what purpose;
  • who the owners are;
  • data is shared with third parties;
  • there is sensitive data;
  • is profiling or automated decision-making involved;
  • there is an international transfer;
  • Is a DPIA required?

2. Develop the DPIA framework

Not all processing requires a DPIA, but some clearly do. The EDPB points out that an assessment is mandatory where processing is likely to result in a high risk to individuals’ rights and freedoms, and cites typical criteria such as systematic monitoring, scoring, large-scale use of sensitive data, combining datasets, data relating to vulnerable individuals, or innovative use of technology.

After 90 days, the organisation must have at least:

  • internal criteria for determining when a DPIA is required;
  • DPIA template;
  • list of priority treatments to be evaluated;
  • the rule on consulting the DPO and, where necessary, the supervisory authority.

3. Rehearse orders and incidents

A programme that has never been tested will fail at the first sign of real pressure. So, before the 90 days are up, do at least two short exercises:

  • a test of a request for access or erasure;
  • a tabletop exercise simulating a data breach.

When it comes to personal data breaches, the 72-hour deadline remains key whenever there is a risk to data subjects. If the risk is high, there may also be an obligation to notify the data subjects themselves.

Realistic deliverables for the first 90 days

At the end of this cycle, the organisation does not need a ‘300-page manual’. It needs a coherent operational toolkit. A realistic set includes:

  • letter of endorsement or internal programme mandate;
  • matrix of roles and responsibilities;
  • record of processing activities;
  • inventory of systems and suppliers that process personal data;
  • data protection policy;
  • retention matrix;
  • revised priority notices;
  • procedure for data subjects’ rights;
  • incident and data breach management procedure;
  • Privacy by Design form;
  • DPIA template;
  • training and awareness programme;
  • 6- and 12-month remediation roadmap.

This already enables the organisation to move away from a reactive approach and adopt a governance approach.

Mistakes that hold everything up

  1. The first mistake is to try to address privacy solely through documentation.
  2. The second is to pass the buck to IT.
  3. The third is to turn the DPO into a ‘universal approver’ with no authority, no information and no support from management.
  4. The fourth is to overlook seemingly mundane business processes, such as recruitment, CRM, newsletters, CCTV, access control or sharing information with accountants and consultants.
  5. Another common mistake is expecting perfection right from the start.

The aim over 90 days is not to iron out every last detail. It is to establish a framework that allows us to prioritise, make decisions and demonstrate progress. A mature privacy programme is built on short cycles, operational discipline and continuous improvement.

Practical checklist: a privacy programme in 90 days

To use the first checklist in this article as a resource, simply copy and paste it:

Weeks 1–2

  • Appoint an executive sponsor for the programme
  • Check whether a Data Protection Officer has been appointed or needs to be appointed
  • Clarify whether the model will involve an internal DPO or an external DPO
  • Identify the core team and key contacts for each area
  • Approve objectives, timetable and reporting format

Weeks 2–4

  • Identify processes involving the processing of personal data
  • Map systems, databases, applications and critical files
  • Identify categories of data subjects and categories of data
  • Identify purposes and legal bases
  • Identify subcontractors and third parties with access to data
  • Create or update the record of processing activities
  • Gather existing documentation

Weeks 5–6

  • Review notices and priority transparency documents
  • Define retention and disposal matrix
  • Review contractual clauses with subcontractors
  • Create a procedure for account holder requests
  • Set up a mailbox or internal workflow for permissions

Weeks 7–8

  • Review access controls and profiles
  • Verify backups, authentication, updates and minimum procedures
  • Establish a process for managing incidents and data breaches
  • Define internal escalation criteria
  • Prepare standard messages and incident reports

Weeks 9–10

  • Create a privacy-by-design form
  • Define criteria for the need for a DPIA
  • Create a DPIA template
  • Identify higher-risk treatments for priority assessment

Weeks 11–12

  • Carry out a test at the account holder’s request
  • Perform a data query
  • Identify gaps, risks and corrective actions
  • Present a 6–12-month roadmap to management
  • Approve the training plan and periodic review
Free Excel resource

Download checklist: 90-Day Privacy Programme

To help you turn this article into concrete action, we have prepared an Excel checklist setting out the key steps for structure a privacy programme within 90 days. This tool has been designed to help DPOs, in-house teams and consultants organise their priorities, documentation and control points relating to the GDPR.

The checklist includes practical tasks relating to privacy governance, data processing mapping, documentation, risk management, incident response, privacy by design and continuous improvement. It provides a useful framework for improving compliance and monitoring the progress of your programme in a more structured way.

This Excel file includes:
✓ Phases and priorities for 90 days
✓ Checklist items for the GDPR and the DPO
✓ Editable template for internal use
✓ Practical support for implementing the privacy programme
Download the checklist in Excel: 90-Day Privacy Programme

Would you prefer to access the resource directly? Download the 90-day privacy programme checklist in Excel.

Conclusion

Structure a privacy programme in 90 days does not mean ‘ticking the compliance box’. It means laying the right foundations: governance, visibility, decision-making, response and evidence. Once these are in place, the GDPR ceases to be merely an abstract legal obligation and becomes an integral part of the way the organisation operates, makes decisions and manages risk.

If your organisation needs to accelerate this process, iPrivacy.eu can assist with setting up the programme and act as an external DPO. Where the project requires integration with governance, processes, information security and the wider implementation of controls, this support can be coordinated with the services of iCompliance.eu, creating a more consistent approach to implementation.

Next Steps

Request a GDPR diagnosis and evaluate how to set up a privacy programme within 90 days, defining priorities, responsibilities and practical measures best suited to your organisation’s context.

Suggested internal links

Share this post

Subscribe to our newsletter

Keep up with the latest blog posts by staying updated. No spamming: we promise.

Related Posts