Hiring the right consultant
PHOTO: Shutterstock

Survey after survey has shown that many companies — most in fact — are not ready for GDPR when it goes into effect later this year. Perhaps you're one of these companies or maybend perhaps you're just looking to jumpstart your compliance program.

For many organizations, step two will be to hire a consultant to guide your organization through this daunting process. Now it's time to focus on hiring the right consultant.

With the deadline looming, there are many people hanging out their shingle as a "GDPR expert." No doubt most of these people are legit but as always some are not. More to the point, not all of these experts are going to be the best fit for your operations. Nor will one person have all of the knowledge necessary to get your company up to speed with this complex regulation.

Related Article: 5 Experts Share Advice on Preparing for GDPR

There are two main areas of focus for GDPR. One deals with the process and procedures and regulations — the qualitative side, according to Kon Leong, CEO of ZL Technologies. The other area of focus deals with technical matters. “Ideally you want one expert that’s familiar with both but I don’t think you’re going to find many of those,” Leong said. Most consulting firms, of course, will have more than one expert on staff to guide client companies on the path to compliance. Still, it behooves a prospective client to ask questions. “The GDPR is the biggest overhaul of data privacy regulation that we’ve seen in recent years, so it could be said that no one has been truly prepared for the role,” said Kevin Gibson, chairman and CEO of Hanzo.

The Qualitative Side

The qualitative side — the procedures and understanding of the law — would typically call for an attorney to provide guidance. What a company needs to do is make sure this attorney understands how his advice translates into the tech component of compliance, Bart Willemsen, research director at Gartner said. “How many corporate legal counsels are well-versed in matters of technology?” he said. Any lawyer giving advice on GDPR will require a certain amount of additional training, otherwise they will handle GDPR compliance in a very stringent textual interpretation, he said. “And to be honest, if you don’t know what the IT risks — both external and internal — are how can you properly assess privacy risk?”

To see if a potential attorney can bridge the gap between process and actual implementation, Willemsen suggested making sure that he understands the following.

  • The proper function or value of identity and access management, retention periods, and how such are to be implemented. 
  • The difference between pseudonymization and anonymization — “not as it was discussed in the law books but as it functions in the IT world,” Willemsen said.
  • The risk of re-identification of de-identified information after the retention period has expired.

Related Article: How Will the GDPR Impact Third-Party Lead Generation?

The Technology Side

Here some questions that should be asked, Leong suggests.

  • If an organization finds a document with personal data, how can they identify any duplicates or near duplicates that might be in other repositories? “Duplicates are actually a big problem for many organizations, and tying them all together so that they can be found with one search is a fundamental challenge in information management,” Leong said.
  • Once an organization is able to locate personal data for a subject access request, if requested to delete the data, what steps should they take before doing so to ensure it’s not fundamental to business, legal, or other regulatory purposes? Also, what does this process look like? “Most organizations aren’t able to effectively synchronize all these disparate functions, and so would likely have to manually check various systems before safely deleting data. It would be difficult for most GDPR vendors to solve this problem without a very involved approach that touches on many areas of information management,” he said.
  • How can an organization set appropriate lifecycle policies for data that is not being classified and may contain personal data? “Many organizations only classify and granularly manage business records, which is a small subset of a company’s data. Applying similar controls enterprise-wide to documents that might contain personal data would be difficult under many management approaches,” Leong explained.