[Angostura]

As someone who was involved in the GDPR work for an organisation that holds some fairly critical information about people and needs to share it with other organisations both as Data Controller and Data Processor, it really wasn’t too bad, mainly because we had already thought quite carefully about privacy and data security.

As a committee member on a local swimming club, it took about 2 hours.

[Matticus_Rex]

There's a huge variance depending on the complexity of the business and how many different things you do. Most of the variance has little to do with the shadiness/lack thereof of what you were doing with the data or even how well it had been thought through. Most of the variance is in how many different types of things you're doing and how many different data inputs you have.

I've talked to colleagues who do a wide variety of processing for their controllers in a business with just a few employees, which is paralyzing. The company I work in is somewhere in the middle. I've also talked to colleagues at companies who only have a few inputs, and regardless of the volume of input that seems to be pretty easy.