GDPR Vulture

Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

First, what do I mean by ‘qualified’? – I mean that the only people truly qualified to lead a GDPR project are lawyers specialising in privacy. That’s it.

EVERYONE else only has a part to play. Often a very significant part, but that’s it for them as well. A part.

I’m NOT saying that every single organisation has to make the significant investment in a privacy lawyer to meet the intent of GDPR. I’m saying that the only ones qualified to determine ‘intent’ in your organisation’s specific context, are privacy lawyers. No-one who is an expert in information technology, or cybersecurity, or any other subject is qualified …unless they are also a privacy lawyer.

To even further labour the point, a qualified person is neverCertified EU General Data Protection Regulation Practitioner …unless – you guessed it – they are also a privacy lawyer.

I’ve seen every type of vendor from Cyber Insurance providers, cybersecurity consultants, to single-function technology vendors, make the most ridiculous claims as to their suitability to ‘help’ with GDPR. All to make a bit more money while the GDPR bandwagon is on the roll.

The prize so far goes to a consultant who maintains that the entire GDPR can be ‘operationalized’ under the ISO 27001 standard. Unfortunately this attitude is pervasive, as no organisation seems to want to share the opportunity with appropriate partners. The attitude of ‘land-the-gig-and-we’ll-work-out-how-to-deliver-it-later’ cannot apply here. GDPR is a law, one with significant penalties attached, so unless you really know what you’re doing, stick to what you know. And ONLY what you know.

For example, I can be [very] loosely categorised as a ‘cybersecurity expert’, so that limits my ability to help with GDPR to:

  1. Data Security – As I’ve said a few times now, of the 778 individual lines of the GDPR Articles, only 26 of them are related directly to data security. That’s only 3.34%. Yes, I can help you implement ISO 27001 to cover that 3.34% (a.k.a. “appropriate security and confidentiality”), but if GDPR is the only reason you have to implement ISO, don’t bother, you’ve missed the point;
    o
  2. Secure Technology Implementation – GDPR is not about technology, but the implementation of GDPR will have significant technology implications. From collection of consent (Recital 32), to age identification (Recital 38), to the rights to erasure and rectification (Recital 39), technology will play a big role. All of this technology will require appropriate security wrappers in-line with demonstrable good security practices; and
    o
  3. Governance Design and Implementation – Any organisation that has a Governance function already has a GDPR Implementation Team in place. Since there can be no true Governance without full departmental representation (Technology, Security, Legal, PMO, Sales, Marketing and so on), it follows that the Security team will have full understanding of GDPR’s impact from the Legal team. In turn, Technology and Security will have significant input to Legal’s decisioning, and it’s this ‘negotiation’ under the Governance umbrella that gives GDPR its ‘organisation specific context’.

This should be more than enough for any security consultant, but apparently it’s not enough for some consultants who want to replace Governance all by themselves. But, what’s wrong with partnering up with others to do the parts you absolutely should not touch? Is it not better to be really good at the one thing you do for a living and be part of a team of experts who can cover the other bases?

To put this another way, do you really want to ruin your reputation by lying to your clients now, or be the resource they come to to solve every similar problem from this point forward? Do you want to sell used cars or be a trusted advisor?

GDPR, like security, is not complicated. It’s actually very simple, just BLOODY difficult to implement. There is not one individual who can simplify this for you, not even a privacy lawyer. So if you’re looking to implement GDPR, you can rest assured that anyone who is a) not a privacy layer, AND 2) not part of a team of experts with collaborative skill-sets, AND 3) trying to sell you something, should be listened to with caution.

As always, I am not going to lay the blame entirely at vendor’s feet, they too have a business to run. In the end, the only people who get the answers they need on GDPR are the ones asking the right questions.

You MUST do your homework!

[If you liked this article, please share! Want more like it, subscribe!]

5 thoughts on “Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

  1. Good article. As usual David you make perfect sense. There are too many folks running around claiming expertise in GDPR who have very little understanding of what it will take to implement it successfully.

    The GDPR is a law and only privacy lawyers are truly qualified to interpret it in the context of the organisations and industries they work for.

    However, the current reality is that there are not many privacy lawyers out there who also have solid experience in cyber security, governance etc who can fit right into the role of DPO.

    The Article 29 Data Protection Working Party lists the relevant skills of a Data Protection Officer to include:
    – expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
    – understanding of the processing operations carried out;
    – understanding of information technologies and data security;
    – knowledge of the business sector and the organisation;
    – ability to promote a data protection culture within the organisation.

    Finding an individual who understand the legal implications of GDPR and is able to coordinate a team of skills – including privacy lawyers, IT, InfoSec, compliance etc – is probably the way many organisations will go.

    • Many thanks for your comments Omo, and I could not agree more. Finding the right skill-sets will be very difficult for the foreseeable future, but I’d rather a skills-gap than one filled by legions of unqualified opportunists 🙂

  2. Interesting article yet I am surprised that only privacy lawyers are the ones who can implement GDPR.
    I am a lay person, Group DPO for a ftse 500, 8 years experience and ISEB qualified.
    I get daily emails from companies promoting experts who can assist me. yet at the moment I could do with a research librarian to check the data mapping exercise and put it in some sort of order.

    • I’m not suggesting that only lawyers can IMPLEMENT GDPR, I’m suggesting that it will be a team effort (Governance) but it’s the lawyers who will set the goals and direction (leading).

      In reality, few organisations will retain, or can even afford, lawyers, so they will end up doing their best to interpret the regulation on their own. My issue is that individuals and organisation who are supremely UNqualified are trying to take over the lawyer’s role.

      I think you have it right, map what you’ve got FIRST, work out if you still need it, THEN worry about ‘compliance’. This is what I think should be done, at least from a security perspective; http://www.davidfroud.com/gdpr-how-do-you-define-appropriate-security-measures/

Leave a Reply

Your email address will not be published. Required fields are marked *