Precautions for GDPR Consultants
If you haven’t heard of GDPR then where have you been for the two years! If you don’t know what it is then go to this summary here. From a consulting point of view it is likely to be the source of lots of project work to help companies get compliant.
Some consultancies have a head start when it comes to offering advice on GDPR or related services. This is usually because they have a background in data protection advice.
A lot of firms are now beginning to offer GDPR audits on top of their day to day operations, and there is a pseudo GDPR goldrush underway. Although there are a huge number of firms offering quality advice, there are also likely to be a number of companies who are not well prepared enough to satisfy the needs of their customers.
If you find yourself being asked by your employer to give GDPR advice without a proper backing, take the following precautions.
Get Legal Advice or Backing
If your firm has legal representation or an internal team, talk to them about any liability you could have when offering GDPR advice to clients. They will be able to tell you from a legal standpoint what you should and should not communicate with customers. They may also be able to help during delivery to answer any client questions that may not be obvious.
If you are uncomfortable answering specific questions on the legislation, push back on your employer to offer proper support or legal guidance.
Partner with a GDPR specialist
GDPR can be a complex topic at the best of times. If you are offering a complimentary service (systems consulting, data management, organisations charge etc) then why not partner with a firm that can handle the legal side.
There are a wealth of firms offering GDPR consulting services, do your due diligence and find one that can let you get on with delivering your specific skill set and let them worry about the technicalities. If you’re providing them with a potential client lead, they may offer preferential rates.
Outline exactly which service you are offering
Ensure that you are not offering clients a specific guarantee over their compliance that you cannot back up. If you are offering an analysis of PID (Personally Identifiable Data) in their business systems, then ensure they know your role is to detect possible non-compliance issues, not to solve them for your client going forward.
Read deep into the legislation
Be prepared. The amount of people preaching about GDPR who have not fully engaged in reading the legislation is astounding. If you are offering advice on GDPR a summarized slideshow will not cut it. You need to have a deeper understanding of the law than your clients, and summaries do not cut it for detail. There are a number of nuances and applicable conditions you can only understand by reading the legislation.
It may take some time and be a lot of information to take in, but it’ll put you on the right foot forward to being a better adviser.
Understand the severity of getting it wrong
GDPR is a much needed update of standard Data Protection and it has teeth. Being found to be out of compliance of the legislation can be a fine of up to £20 million OR 4% of annual turnover.
This is a massive risk for any business that collects and processes people data. They expect to receive educated and effective advice from external consultant. Not doing your job properly when advising on GDPR can leave companies liable to huge fines.
Practise what you preach
Query how your own employer manages your information and ensure you apply good practices when handling data. Imagine how your life could be impacted if a company misuses your data. Breaches can lead to identity theft, fraud and a whole host of other issues for individuals. And please whatever you do, check who you are sending your emails to when communicating with clients.
The last thing a company wants when hiring someone to review their GDPR policy is to see three people CC’d into an email they don’t know. Or even worse in extreme cases, their competitors.
All the Best,