TOP 10 Questions To Ask a “GDPR Expert”
The General Data Protection Regulation (GDPR) is one of the hottest topics right now and ensuring compliance is a board agenda for most organisations. The challenge is that achieving compliance is no easy task, with many organisations grappling with limited resources and time fast running out to the compliance deadline of May 2018. The limited resources include, budget, staff but also individuals who can interpret the regulation and provide robust guidance aligned to the data processing activity of the organisation. These individuals have in the past been lawyers, compliance / risk officers or Data Protection Officers who have studied the previous European Data Protection Directive 1995 and or in the UK, the Data Protection Act 1998.
According to the International Association of Privacy Professionals (IAPP), approximately 75,000 Data Protection Officers will be needed to meet the demand created by GDPR.
There is a significant shortfall, and the shortfall includes individuals with the knowledge to support organisations on their compliance journey.
With limited resources, the finite time left to comply and threat of fines of up to 4% of global turnover (no scaremongering here. ) many organisations are in desperate need of help. Where there is demand, there will inevitably be supply and so …
THE GDPR EXPERT
What is a GDPR Expert?
According to wikipedia, an expert is defined as follows:
However this does not deter those with an entrepreneurial mindset – with contract rates of up to £1,500 per day being touted, there is a gold rush not too dissimilar with the then promised electronic apocalypse of Y2K.
What value do organisations think they are getting with a GDPR Expert?
- Someone knowledgeable about data protection and privacy law who can provide guidance to support practical implementation to achieve / get close as possible to achieving GDPR compliance
What the reality might be:
- Someone who has been on a crash course which covers GDPR broadly but lacks the depth of knowledge and insight to “expertly” support a GDPR programme
- The wrong advice is given / received
I am not writing this post to belittle new entrants into this space or scare organisations who are challenged on their GDPR compliance journey and have got a “GDPR Expert” in to support. I have personally benefitted from switching careers and I am thankful to BNP Paribas for allowing me to take on an important role with limited experience when I was appointed Data Protection Officer in 2011.
However, the world has changed.
As we know, the impact of getting things wrong under the old regime of the Data Protection Act was minimal (fines of up to £500K) but now under GDPR, the impact is significantly more, not only due to increased sanctions but also public perception, underpinned by increased awareness of privacy rights.
I was lucky that I had the time to learn, grow and gain depth of knowledge in a very complex topic – supported by some great mentors who had decades of knowledge on Privacy and Data Protection. New practitioners in this space do not have the same luxury and run a personal and professional risk if ultimately, they only have the slightest of clues!
The following 10 questions are both for organisations who would like to perform enhanced due diligence on the “GDPR Experts” they are sourcing and for new entrants into the field. If you are new to Privacy / Data Protection, hopefully using the below, you can quickly identify gaps in your knowledge to work on BEFORE providing the related advice.
The 10 Questions:
Has the GDPR Expert / YOU ever (not in order of importance):
1. Written comprehensive internal policy documents related to Privacy / Data Protection and supported the implementation of this throughout the organisation?
2. Drafted and implemented external facing Privacy policies on websites and customer contracts?
3. Drafted and negotiated Privacy / Data Protection clauses in contracts with suppliers and third parties?
4. Performed Privacy / Data Protection due diligence exercises on suppliers?
5. Responded to a Data Subject Access Request?
6. Managed an incident (e.g. data breach), including interaction with the regulator (e.g ICO)?
7. Performed reviews / monitoring / audits of the organisations Privacy / Data Protection controls and reported the findings and recommendations through the internal governance structures?
8. Created and delivered Privacy / Data Protection training?
9. Presented to the board / Senior leadership on Privacy / Data Protection risk to increase awareness and understanding of the topic?
And the key question…
10. How many years of experience as a Privacy / Data Protection practitioner?
For anyone who is engaged on a GDPR programme, it is clear that it is a regulation that spans the entire organisation, from customer acquisition, technology, marketing, HR, risk, compliance, internal audit, third parties and security (to name but a few). Therefore true Privacy Practitioners will and must have the broad knowledge that comes with embedding an organisation-wide Privacy culture. Without this knowledge, any advice is just academic without any real understanding of the downstream impacts or any demonstrable follow through on the advice provided.
There are some fantastic Privacy / Data Protection practitioners and right now they heavily sought after. But based on the hype surrounding “GDPR Experts”, they may feel overlooked. I saw this image on a LinkedIn post which I cannot find again and as with all things comedic in nature, its funny because its uncomfortably true!
Image Source: Google Images
If you’re in the market for GDPR support, I hope this post has been useful in qualifying the candidates.
If you’re a Privacy / Data Protection Practitioner and have the right knowledge and skills to support organisations on their journey – I wish you good luck! Your time is now!
If you like what you’ve read, please use the below links to share this post!
See you on my next post and podcast – Stay safe and remember – “Information is a risky business””
Other Posts you may like:
About the author:
Jeremy Kajendran has over 13 years of experience Information Security, Privacy and Risk Management. Jeremy leads Ernst & Young’s (EY’s) UK Financial Services Privacy Practice and is a Fellow of Information Privacy (awarded by the International Association of Privacy Professionals).
Views and opinions presented on inforisky.com, talks and podcasts by Jeremy are personal opinions only and in no way represent the views, positions or opinions – expressed or implied – of Jeremy’s previous, current, future employers, consulting customers or anyone else.