CHAPTER 11
A Step-by-Step Compliance Plan
A realistic roadmap for an SMB starting from scratch, or nearly so. Timeframes overlap β start with the highest-impact actions.
Phase 1 Β· 0β90 days
Foundations and critical risks
| Action | Owner | Priority |
|---|---|---|
| Formally designate the Privacy Officer (delegate in writing if needed) | Management | Critical |
| Publish the Privacy Officer's contact info on the website | Marketing / IT | Critical |
| Set up the incident register | Privacy Officer / IT | Critical |
| Draft a minimal incident response plan | IT / CISO | Critical |
| Map your data (starter inventory) | IT | High |
| Enable MFA and review critical access | IT | High |
| List suppliers that process personal data | Privacy Officer | High |
Phase 2 Β· 3β6 months
Policies and processes
| Action | Owner | Priority |
|---|---|---|
| Draft the (internal) governance policy | Privacy Officer | High |
| Publish the privacy policy (on the website) | Privacy Officer / Marketing | High |
| Review forms and marketing consent | Marketing / Sales | High |
| Update supplier contracts (Law 25 clauses) | Privacy Officer / Legal | High |
| Carry out PIAs for priority out-of-province flows | Privacy Officer / IT | High |
| Define the retention/destruction schedule | Privacy Officer / IT | Medium |
| Set up the rights-request response process | Privacy Officer / Customer service | Medium |
Phase 3 Β· 6β12 months
Maturity and continuous improvement
| Action | Owner | Priority |
|---|---|---|
| Roll out staff awareness training | Privacy Officer / HR | High |
| Test the incident response plan (tabletop exercise) | CISO | Medium |
| Strengthen encryption, logging, backups | IT / CISO | Medium |
| Set up an annual review of policies and PIAs | Privacy Officer | Medium |
| Document compliance (auditable evidence) | Privacy Officer | Medium |
| Assess adopting a framework (NIST CSF, ISO 27001) | CISO | Optional |
Prioritization advice
Where to start if resources are limited?
If your resources are limited, tackle first what reduces real risk and the risk of sanctions:
- A formally designated Privacy Officer
- An operational incident register
- MFA enabled on critical access
- A privacy policy published on the website
These are the most visible gaps, the easiest to flag against you, and the ones that come up in the CAI's first inspections.
Compliance is a continuous process, not a one-time project. Document everything: in an investigation, proof of due diligence matters as much as perfect compliance.