FAQ: We have a SOC 2. How much effort is GDPR?

FAQ: We have a SOC 2. How much effort is GDPR?

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation of the related latest SOC 2 updates, which is good. However, if you are not currently including Privacy in your SOC 2, and do not have a strong privacy program in place, there will be a moderate level of short term effort required.

It should take approximately 2 to 3 months in collaboration with your Auditor to perform a readiness assessment of the specific GDPR requirements and implement said updates for most Company’s.

The upside of being required to implement GDPR is that there would be minimal effort to include Privacy and references to any unique GDPR requirements within future SOC 2 reports.

Additional FAQs

What is SSAE 18 (formerly SSAE 16)?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an


The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is

Get Our Emails

SOC Reporting Guide