GDPR Vulture

Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

First, what do I mean by ‘qualified’? – I mean that the only people truly qualified to lead a GDPR project are lawyers specialising in privacy. That’s it. This does not preclude non-lawyer privacy experts or lawyers not specialised in privacy, but you get what you pay for.

EVERYONE else only has a part to play. Often a very significant part, but that’s it for them as well. A part.

I’m NOT saying that every single organisation has to make the significant investment in a privacy lawyer to meet the intent of GDPR. I’m saying that the only ones qualified to determine ‘intent’ in your organisation’s specific context, are privacy lawyers. No-one who is an expert in information technology, or cybersecurity, or any other subject is qualified …unless they are also a privacy lawyer.

To even further labour the point, a qualified person is neverCertified EU General Data Protection Regulation Practitioner …unless – you guessed it – they are also a privacy lawyer.

I’ve seen every type of vendor from Cyber Insurance providers, cybersecurity consultants, to single-function technology vendors, make the most ridiculous claims as to their suitability to ‘help’ with GDPR. All to make a bit more money while the GDPR bandwagon is on the roll.

The prize so far goes to a consultant who maintains that the entire GDPR can be ‘operationalized’ under the ISO 27001 standard. Unfortunately this attitude is pervasive, as no organisation seems to want to share the opportunity with appropriate partners. The attitude of ‘land-the-gig-and-we’ll-work-out-how-to-deliver-it-later’ cannot apply here. GDPR is a law, one with significant penalties attached, so unless you really know what you’re doing, stick to what you know. And ONLY what you know.

For example, I can be [very] loosely categorised as a ‘cybersecurity expert’, so that limits my ability to help with GDPR to:

  1. Data Security – As I’ve said a few times now, of the 778 individual lines of the GDPR Articles, only 26 of them are related directly to data security. That’s only 3.34%. Yes, I can help you implement ISO 27001 to cover that 3.34% (a.k.a. “appropriate security and confidentiality”), but if GDPR is the only reason you have to implement ISO, don’t bother, you’ve missed the point;
  2. Secure Technology Implementation – GDPR is not about technology, but the implementation of GDPR will have significant technology implications. From collection of consent (Recital 32), to age identification (Recital 38), to the rights to erasure and rectification (Recital 39), technology will play a big role. All of this technology will require appropriate security wrappers in-line with demonstrable good security practices; and
  3. Governance Design and Implementation – Any organisation that has a Governance function already has a GDPR Implementation Team in place. Since there can be no true Governance without full departmental representation (Technology, Security, Legal, PMO, Sales, Marketing and so on), it follows that the Security team will have full understanding of GDPR’s impact from the Legal team. In turn, Technology and Security will have significant input to Legal’s decisioning, and it’s this ‘negotiation’ under the Governance umbrella that gives GDPR its ‘organisation specific context’.

This should be more than enough for any security consultant, but apparently it’s not enough for some consultants who want to replace Governance all by themselves. But, what’s wrong with partnering up with others to do the parts you absolutely should not touch? Is it not better to be really good at the one thing you do for a living and be part of a team of experts who can cover the other bases?

To put this another way, do you really want to ruin your reputation by lying to your clients now, or be the resource they come to to solve every similar problem from this point forward? Do you want to sell used cars or be a trusted advisor?

GDPR, like security, is not complicated. It’s actually very simple, just BLOODY difficult to implement. There is not one individual who can simplify this for you, not even a privacy lawyer. So if you’re looking to implement GDPR, you can rest assured that anyone who is a) not a privacy layer, AND 2) not part of a team of experts with collaborative skill-sets, AND 3) trying to sell you something, should be listened to with caution.

As always, I am not going to lay the blame entirely at vendor’s feet, they too have a business to run. In the end, the only people who get the answers they need on GDPR are the ones asking the right questions.

You MUST do your homework!

[If you liked this article, please share! Want more like it, subscribe!]

13 thoughts on “Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

  1. Good article. As usual David you make perfect sense. There are too many folks running around claiming expertise in GDPR who have very little understanding of what it will take to implement it successfully.

    The GDPR is a law and only privacy lawyers are truly qualified to interpret it in the context of the organisations and industries they work for.

    However, the current reality is that there are not many privacy lawyers out there who also have solid experience in cyber security, governance etc who can fit right into the role of DPO.

    The Article 29 Data Protection Working Party lists the relevant skills of a Data Protection Officer to include:
    – expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
    – understanding of the processing operations carried out;
    – understanding of information technologies and data security;
    – knowledge of the business sector and the organisation;
    – ability to promote a data protection culture within the organisation.

    Finding an individual who understand the legal implications of GDPR and is able to coordinate a team of skills – including privacy lawyers, IT, InfoSec, compliance etc – is probably the way many organisations will go.

    • Many thanks for your comments Omo, and I could not agree more. Finding the right skill-sets will be very difficult for the foreseeable future, but I’d rather a skills-gap than one filled by legions of unqualified opportunists 🙂

  2. Interesting article yet I am surprised that only privacy lawyers are the ones who can implement GDPR.
    I am a lay person, Group DPO for a ftse 500, 8 years experience and ISEB qualified.
    I get daily emails from companies promoting experts who can assist me. yet at the moment I could do with a research librarian to check the data mapping exercise and put it in some sort of order.

    • I’m not suggesting that only lawyers can IMPLEMENT GDPR, I’m suggesting that it will be a team effort (Governance) but it’s the lawyers who will set the goals and direction (leading).

      In reality, few organisations will retain, or can even afford, lawyers, so they will end up doing their best to interpret the regulation on their own. My issue is that individuals and organisation who are supremely UNqualified are trying to take over the lawyer’s role.

      I think you have it right, map what you’ve got FIRST, work out if you still need it, THEN worry about ‘compliance’. This is what I think should be done, at least from a security perspective;

      • Interesting read. I disagree though that the lawyers definitely must be the ones to set the goals and direction for some quite simple reasons.

        A lawyer whilst being a vital member of the team cannot decide which elements of the Regulation should be delivered as a priority over others as the risk appetite of organisations would vary. If i am organisation A and i deal with providing entertainment for Teenagers aged between 13 and 16 and i previously did not require the consent of parents before processing/accessing/storing their data but now require it then my focus may be on changing the Business process of delivering that service and making sure i capture consent

        A diff organisation providing cloud solutions for storage might be more focused on Data retention/Deletion than they are on Consent.

        These decisions will not be made solely or rather i should say these are decisions which do not require legal expertise before they can be made and in most GDPR programs were a risk based approach is being followed these are examples of the judgment calls that need to be made.

        I agree with you though that you need a team of experts with collaborative skill sets to drive compliance.

        All the best.

      • Thank you Jonathan, and fair points. I will counter though that only a lawyer (or other privacy expert) can really determine what processing represents the biggest risk to the business, which should at least help drive priorities.

  3. What rubbish this article proliferates – once again, arrogant and greedy lawyers hijacking, for their own ends, EU generated nonsense. No doubt these ambulance chasing individuals will, even now, be building their “no win – no fee” thievery designed to line their pocks and put right-thinking people out of business.

    • If that’s all you took from this, then you entirely missed the point. Suggest you read the title again.

      If you’re sick, do you go to a faith healer? If you’re looking for a personal trainer do you hire a fat smoker?

      Regardless of your clear personal animosity toward BOTH lawyers and the EU, getting the RIGHT help for your business is the only way forward.

      Unless of course you don’t consider privacy to be an issue worth addressing?

  4. Hi as a small business I’ve tried to get some awareness of GDPR and have developed a policy titled “GDPR”…..hopefully this is okay as I felt i should do something ….a bit worried as i did the policy myself using a template online….but I’m only a tiny business

    • Hi Jamie,

      The fact that you have anything at all puts you far in advance of a great many organisations, even those who should know better.

      From my perspective as a non-privavcy expert, as long as you support appropriately the rights of the data subject (Articles 15 – 18, 20-21) and have sufficient security controls around the data you have, you will be well under the radar. Rightly so.

      Kudos Jamie, and good luck.,


  5. New subscriber to your blog. I’m DPO for a non-profit and a startup SME; swimming against the senior management treacle of apathy!
    On the DPO qualifying skills; we’ve learnt from sec69(1) of the DPB the interesting news that a controller in scope MUST appoint a DPO. This is a serious departure from GDPR wording.
    What’s your thought on 500k DPOs running amok?

    • Hi Mark, many thanks for taking the time to post!

      I think it’s a REALLY bad idea! There are not 500K qualified people in the WORLD!

      No, what’s going to happen is one of 3 things. An organisation will; a) take a significant financial hit and hire an appropriate resource (even part-time would be relatively expensive), b) outsource to a ‘virtual DPO’ (and God knows what that will get you), or 3) ignore the requirement and hope for the best.

      As a VERY small business owner myself, I know which I’m going to choose…

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.