25 May 2018

The upcoming changes to data management mandated by the European Union’s General Data Protection Regulation (GDPR) are causing organizations across the world to take a hard look at their data policies. GDPR is set to go into effect on May 25, 2018, and its rules will regulate the way companies gather, store, use and share the personal data of all EU citizens, immigrants and visitors. Despite hefty fines for noncompliance, many organizations report that they are struggling to come into line with the new laws by the deadline.

It’s perhaps not surprising that the number of consultants offering GDPR preparedness services has skyrocketed in the past year. While many of these firms are no doubt legitimate, it will still be a challenge for companies to sort out the good from the bad. What sort of qualifications should you look for in a GDPR consultant? How can you find a consultant that will best suit your business and guide it through the process of GDPR readiness?  And what are some red flags that might indicate a poor fit?

Below, we offer a quick guide to help you make the best decisions for your organization.

If your company finds itself casting around for GDPR help, please read this before taking on a new consultant.

The Two Sides of the Coin: Law and Tech

Some analysts have broken the GDPR laws down into two realms, the legal and the technical. Kon Leong, CEO of ZL Technologies, describes the first realm as the “qualitative” side, meaning that it deals with the processes and procedures of the legislation. Clearly, for this aspect, one would want an attorney, particularly one well versed in the legalities of data protection and case law. This knowledge should span not just the details of the GDPR, but also the Data Protection Act of 1998, as many companies will be making a shift from those existing regulations to the new set of laws. You will need to find someone who can translate legislation with ease and apply it to the specifics of your business.

Learn more about how GDPR will change how organizations will respond to data breaches. 

Be wary of any attorney who claims to have GDPR Certification. While there are a number of GDPR training courses available, the governing body behind the GDPR has not authorized an official certification program specific to the GDPR as of yet. The knowledge consultants gain in a foundational GDPR course may prove useful, but the completion of such courses does not guarantee their competence.

Instead, try to get a handle on how the consultant transfers the textual interpretation of the law into actual implementation. In all likelihood, this will require a fairly sophisticated awareness of IT. Bart Willemsen, research director at Gartner, suggests making sure that any prospective consultant can explain the following:

  • The proper value of identity and access management and retention periods, and how each are to be implemented
  • The difference between pseudonymization and anonymization as they pertain to IT dynamics
  • The risk of re-identification of de-identified information after the retention period has expired

This brings us to the tech side of the coin. While many commentators have made the convincing argument that GDPR is a business problem, not an IT problem, the fact remains that in order to execute a successful compliance strategy, a worthwhile consultant needs to have a firm grounding in the tech ramifications of the law. In addition to the questions above, you’d be wise to ask how a prospective consultant would help you deal with the following issues:

  • Appropriate skills to conduct a thorough data audit
  • Plans for hardware and software, including anti-virus and document management
  • Suggested policies for device management, including print management and mobile devices
  • Opportunities for staff and management training
  • Aid in process development to help support new policies

The scope of all of these qualifications will likely fall beyond the capability of any single consultant, so find out how their firm is positioned to offer expert support staff for each niche.

Crisis Management Expertise

Some of the GDPR’s biggest changes involve how companies will need to react to data breaches. In the event of a data breach, your GDPR consultant will be uniquely positioned to help you launch your legal defense. To that end, any prospective consultant should have a proven track record with respect to crisis management. Before signing on with them, ask yourself whether you feel confident in their abilities to advise and represent you during this arduous process.

First Impressions

As you begin to gauge the merits of a prospective consultant, reflect on their first impressions and initial moves. The best consultants should want to listen as much as they talk. That is, instead of just telling you about their services, they should be asking questions about your objectives, your timeframes and your resources. How in-depth are these questions?  How invested do they seem to be in wanting to understand your business needs?  Do they offer to spend time onsite to gauge your options?  GDPR compliance will likely be an ongoing process, not a one-and-done event. A quality consultant will be one you can imagine yourself working with well into the future.

Beware Silver Bullets and Magic Answers

The complexity and scope of the GDPR laws make any one quick fix almost impossible. Any GDPR “expert” who tries to sell you a software program or a set of magic policy documents is probably running a sham. In most cases, it is possible to meet compliance standards within the bounds of an organization’s existing systems, so if a consultant is pressuring you to buy his product, be warned. Those who use tactics of fear mongering and disaster scenarios are probably best left alone. Instead, look for consultants who answer your questions with forthrightness and candor, giving you a clear understanding of what you can expect from their services.

Conclusion

Choosing the right GDPR consultant is a tough decision. With the potential repercussions for noncompliance set so high, it is no wonder why so many companies are looking for help. If your organization needs guidance, contact a Blueprint OneWorld representative. We can help you find the resources you need to be safe and successful.