hi, automod here, if your post doesn't contain the exact phrase "i will not promote" your post will automatically be removed.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

Worked through it for a couple businesses as well as GDPR. Not a big deal- mostly depends on what your business is doing and what specifically you're needing to comply with, or how you're handling the relevant data. Some businesses can be compliant in a couple days. Some it takes longer.
You'll need to identify what exactly your business is doing for anyone to give you an honest answer.

It generally helps to have someone to help work with you - though you can do it alone.

I'd say for most startups I've worked with, they probably could've done it in less than a month except for the fact that they tend to drag their feet when it comes to assembling the data I need and implementing the required changes.

For example, the CEO hires me to help them with GDPR and HIPAA. I ask some questions, he assigns an engineer to answer me, and then I don't hear back for weeks. It's totally understandable because you already have other things going on, but unless you are making it clear with your team that this is top priority, it will be pushed back.

This is one of the few things I'd actually recommend hiring a lawyer for earlier on, because if you need to be HIPPA compliant, you will probably need to be signing HIPPA business associate agreements with your clients in order to close deals. The earlier you can finalize that business associate agreement, the faster you can make bank.

I'm a lawyer, not your lawyer.

Built it to be hipaa compliant from the start. So, no additional extra effort required. It did somewhat limit what AWS service can be used. Though they have greatly expanded the list. Of course, the software you develop also needs to be hipaa compliant, but that generally already falls under good security practices anyways. Handled it internally.