Finding a GDPR Consultant

Businesses have spent hundreds of hours working on policy implementation and legal reviews, nevertheless, a surprisingly low number of businesses are GDPR-ready. Major technology companies, including Microsoft and Facebook, have announced global policy changes in accordance with the law and signaled that more changes are on the road. If your organization services some users at the EU actually (even though by chance), you should be making significant steps toward compliance today, when you have not already.Failure to obey GDPR regulations warrants steep penalties: either 20 million Euros (approximately $24.7 million) or four percent of a company’s revenue, whichever is greater.

For non-compliant businesses, there may be hope in demonstrating to authorities that you have made a good-faith attempt and are working toward compliance by choosing a consultant. However there are a few things that you ought to know about GDPR advisers prior to signing a contract. Here’s what small businesses will need to know. Data processing consultants understand that GDPR has created a great deal of demand for their own services, and thus the industry has boomed seemingly overnight. Greg Sparrow, senior vice president and general manager of CompliancePoint, said this surge in consultants has left the sector divided between two major types of advisers.”There are organizations or individuals who have been involved for the past 10 to 20 years, also GDPR is merely a part of the career path,” Sparrow said. “Or there are people who really don’t have a lot of experience in any way.”That creates a problem for businesses, especially since many are racing the clock to come in to compliance. Luckily, industry associations, such as that the IAPP, have started to provide certification applications to consultants that can help companies identify the legitimate consultants from those trying to capitalize on GDPR’s execution. However, those GDPR-specific certificates are extremely new for all to have finished them. Also, Sparrow stated, certification alone may not be enough.”I would also tie in business experience,” he said. “A lot of folks have certifications, but maybe not practical industry experience. They walked out of school and got certified because they understand data privacy is in demand. It’s important to find that mix of certification and industry experience.”Sparrow urged finding a seasoned, certified consultant then linking them in a companywide policy execution procedure. This means bringing together advisers, legal teams, sales and marketing teams, and company operations to have a roundtable discussion about how to best proceed.What can small companies do? Complying with GDPR is a massive undertaking, not to mention preserving day-to-day operations while researching new policies. In some cases, meeting all the GDPR’s requirements for transparency and consumer control of data signify a logistical nightmare for smaller businesses, especially those on a budget. So what can small businesses do?”While GDPR compliance can be difficult for all organizations, small businesses face a number of special challenges,” said Dana Simberkoff, chief hazard, privacy and data security officer at AvePoint. “If leaders of both small and midsize companies want to improve their security programs while maintaining their budgets under control, the most important thing for them to comprehend is how data, people and location weave together to make patterns — both good and bad — across and within their organizations. Only by knowing your existing data can you effectively protect it.”Simberkoff suggested the following steps for small companies worried about cooperating with GDPR:Trust but verify: Workers handling data must be trained to recognize and categorize all sensitive data. Regularly ensure employees understand the policies in place, as well as the tools and training provided to them, and that these are being integrated into daily operations. Know your organization’s information: Be sure to completely understand how information is created, collected, processed and saved. In addition, you have to know how data will be disposed. A comprehensive comprehension will help businesses develop wise policies; for instance, delineating between work-related data and personal data. “While a consultant will help small businesses implement these plans, owners and their workers can definitely take care of these jobs themselves,” Simberkoff explained. “Does this ensure they are GDPR compliant, but it also saves them money and relieves the chance of scammers getting ahold of their sensitive data.”Additionally, it is critical for smaller businesses, who commonly outsource data processing than large enterprises, to control how their vendors use the data they collect. Even if a small business does everything in its ability to remain compliant, the organization could find itself on the hook if a portion of the vendor partners fails to satisfy the standards set out by GDPR.”Enforcement won’t be just the responsibility of the EU, as businesses themselves will need to authorities their vendors to guarantee the data the sellers are leveraging on their behalf is actually compliant. If not, that opens exposure,” Thomas Pasquet, co-founder of all Ogury. “Those unprepared organizations will be in warm water as it takes longer than two to three weeks to change the way that you collect and process data.”To put it differently, the best time to start working toward compliance was past month. My organization is based at the U.S.. Even if your organization does not directly conduct business in Europe, then you might be shooting and processing data that originated from the EU. That is sufficient to put you squarely within the scope of GDPR and place you in danger for those big fines if you fail to comply with the regulations. “Even in the event that you’ve got a little amount of data on citizens belonging to some of those countries which are enforcing GDPR, you might potentially receive hefty fines of up to $24.7 million or 4% of your annual turnover for the most serious breaches. With ramifications that dire, it is not a risk worth taking.”Even for those companies that are totally, 100 percent certain that they are not collecting any data from EU citizens (that is no easy undertaking,) working toward some semblance of GDPR compliance might be beneficial for a couple reasons. According to Sparrow, not only can it be a good brand-building practice to demonstrate to consumers that you just care about their privacy and do the best that you can to protect it, but it also positions your organization to adapt as more regulations like GDPR inevitably crop up.”Internationally that is where things are going. If you’re likely to operate internationally, this is something that you must deal with,” Sparrow said. “Whether you think you’re in extent for GDPR or not, they should likely start down this route in some shape or fashion. Organizations who will handle [future regulations] best are those which are doing things at the moment.” Just be sure you’re hiring somebody with a demonstrable history of experience, strong references and a commitment to the business. Assessing those boxes will save you from getting burned by an incompetent or trusted builder, and it’ll help make sure your company is prepared to the best of its ability.

PII Compliance offers compliance monitoring across multiple channels against an ever changing landscape of security threats and legal policies.

www.piicompliance.org