If you’re reading this, you likely fall into 1 of 3 camps:
- You are horrified at the concept and can’t wait to tear me a new one;
- You actually think I may be able to help you make lot of money; or
- You know me and realise that the title is nothing but click-bait
If 1., then good for you, I would do the same. If 2., then you’ve come to the wrong place unless you’re prepared to put in significant effort. If 3., then you’re right! 🙂
However, the fact is that there is a lot of money to be made in GDPR, but you only deserve it if you are providing true, long-term, benefit to your clients. Otherwise, kindly stay away. This goes for consultants and product vendors alike; do business with integrity, there’s simply no need to exploit those less knowledgeable. Unfortunately, the vast majority of people with whom I come into contact still haven’t even read it, leaving the door wide open for those intent on exploitation.
So where is this money I’m talking about? Where is it all going to come from? Simple, almost every organisation doing business in, and with the EU will have to make adjustments of some sort. Some more than others if you’re following the whole Facebook scenario. There are some that think by ‘hiding’ the data overseas that they have avoided the issue, but these people are naive in the extreme.
GDPR, and the many regional variants around the globe represents a fundamental shift in the way the WORLD will be conducting business. This is no longer a matter for ‘corporate responsibility’, this is a law. And while countries like Russia, China and sadly the US may view things very differently …at the moment, the writing is on the wall. Things are changing and they cannot change back.
But back the actual point of this blog…
Take my example, I am [at a stretch] a security ‘professional’, and therefore have a part to play in the implementation and ongoing maintenance of a data protection program. So does HR, and Legal, and Sales, and Marketing, and IT, and Operations, and… you get the point. You do NOT have to be a data protection expert to play an equal part in a GDPR program. However, you DO have to have at least a foundation in data protection if you want to put your existing skills into the appropriate context/spotlight.
I can help you find your data, and map your data to business processes. I can also help you cover all of Article 32. With my ever expanding foundation in data protection I can now help translate this information to the real experts who make the legal decisions. And because I can somewhat speak their lingo, I can also translate their decisions back to those who not only have to put them into effect, they have to live and breathe them every day performing their actual day jobs. But that’s ALL I can do; i.e. the things I’ve been doing for 20 years but wrapped in a new context. A new language for the same skill-set.
One of the biggest misunderstandings in the whole process is that it’s the data protection experts that have the final say, it’s really not, the individual experts in their fields do. HR, Sales, Marketing, IT, IT Security, you name it will dictate the appropriate solutions in-line with the goals, just as long as those solutions support the defined legal bases. It’s like me telling you to go home. There are many ways to get there, the HOW is up to you, and I have to assume that you know the best way.
Too many people are taking these GDPR foundation and practitioner courses to take advantage of this tremendous opportunity, but instead of using this knowledge to enhance the role they already play, they put themselves in the primary position of data protection experts. You only have to look at their LinkedIn profiles to see this nonsense at play. They have 10 years of experience in security, or IT, or whatever, took the GDPR Practitioner course 6 months ago, now they have “Data Protection” and/or “GDPR” in their Headline.
To make things worse, employers are starting to put GDPR Practitioner as a prerequisite for employment! This is the height of stupidity and no different from requiring Security + certification for a position as CISO. This spectacular ignorance is only making things worse by lending credence to an acronym. There are no shortcuts to the knowledge you need to play an important role in a GDPR implementation, so a 4 day course is the VERY beginning and no more.
By all means, go and get certified, but stick to what you know, THAT’S where the real money is. Try to be something you’re not and you will likely fail. Rightly so. The fact is that the data protection bandwagon has many more years to roll, as not only is May 25th NOT a deadline, but the true nature of GDPR’s impact won’t be felt for some time. Case law / precedent will be slow in maturing with regard representatives, lead supervisory authorities, and a plethora of other things, so no one has missed the opportunity.
Data protection will now be an intrinsic part in almost everyone’s day job, it will be those who can blend the two that will reap the rewards. Don’t be a #gdprcharlatan, because you will be found out …eventually.
[If you liked this article, please share! Want more like it, subscribe!]