Not every company is freaking out about the General Data Protection Regulation. Some are cashing in, big time.
The widespread hand-wringing caused by the last-minute scramble of businesses ahead of the May 25 GDPR deadline is fueling a cottage industry of GDPR experts and consultants. The sheer number of experts is leading some to see danger that bad advice is peddled about what nearly everyone finds a bafflingly vague regulation. Y2K, after all, saw an explosion of consultants and providers on hand for panicky businesses.
The arrival of GDPR isn’t exactly a sudden shock. Data privacy experts such as Robert Streeter, News UK’s group data protection officer, have long warned others not to take the advice of every so-called expert at face value. But many companies procrastinated in addressing the implications of GDPR, leading some companies to jump on quick-fix, cheap options at the last minute in order to proclaim they’re compliant. But some of these options are either totally bogus or not actually required under GDPR. A quick online search surfaces dozens of different GDPR courses. Some are more bona fide and endorsed by the Information Commissioner’s Office; others are unaffiliated with any official body.
The issue is there are no official GDPR qualifications, unless you’re being hired as a data protection officer — a role defined by the ICO. Otherwise, it’s rather wooly what qualifies one as a GDPR expert. For example, do you need a law degree? Apparently not, according to John Mitchison, director of policy and compliance at the Direct Marketing Association, though it’s preferable.
“The formal certifications mentioned in the GDPR haven’t been created yet, so companies saying they are certified — by who? They can only be self-certified or have had a lawyer check it, but that’s not enough,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe, who has worked on both the media owner and the advertiser side.
One data protection trainer and consultant has posted on his LinkedIn profile: “Data Protection trainer and consultant. Not GDPR certified because nobody is.” Another industry executive added that there are no real GDPR qualifications, but “plenty of charlatans.”
“There are a bunch of people calling themselves experts and doling out shonky advice,” said Dan Wilson, CEO of London Media Exchange. “They won’t be penalized by regulators for having taken bad advice because they’ll still be able to show that they’ve been trying to act in the spirit of the law. The issue is that these companies are going to have to start again from scratch.”
LinkedIn is starting to fill up with cries for help — and dozens have “GDPR consultant” in their job titles. “A small agency we work with has been totally messed around by a supposed GDPR expert, and as a result, they are now just a few weeks to go and need to start again,” read a message on LinkedIn this week.
Part of the problem is there is a serious lack of skilled data protection professionals in the market, which means DPOs are in short supply, and those businesses that don’t have well-resourced legal teams are turning to quasi experts for guidance. In 2016, the International Association of Privacy Professionals calculated that in the U.K., a minimum of 28,000 DPOs would be required in businesses. But a DPO role requires specific technical skills and a deep understanding of data protection, and those are tough to find.
“There is an enormous shortage of people who can be employed as DPOs,” said Wollen. Typically, that’s a problem for smaller organizations that have less resources, though some have opted to share the cost of an external DPO, and others have asked them to merely greenlight compliance work rather than start from scratch, reducing their bill in doing so. But this skills gap has opened up a chasm that opportunists are exploiting.
“That gap is being filled by people who don’t have the qualifications,” said Wollen. “There is a culture forming where you can sit for an online exam and come away with a piece of paper saying you’re certified. These online courses are now being churned out.”
Mixed messages around whether legitimate interest will exonerate businesses from having to ask for consent are also rife, according to sources. But like with all laws, the devil is in the detail, and people are being misinformed by self-proclaimed experts that haven’t done their homework.
“Lots of people are grasping for legitimate interest as a get-out-of-jail-free card, not understanding that one of the biggest questions you must ask is: Does the data subject have a reasonable expectation to use their data? If they have never heard from you and there is no relationship, then how on earth can they?”
Inboxes everywhere are pinging with messages from all kinds of companies, asking people to give consent or simply informing them that if they take no action at all, that will be viewed as consent. One of the unintentional side effects of this panicked consent checking: consumer consent fatigue. The smarter marketers will weed out inactive people in their databases rather than blast everyone in them with compliance messages.
However, these slapdash techniques for compliance aren’t likely to stick. Bona fide insurance companies have gotten wind of the opportunity to provide businesses with GDPR compliance cover, according to sources. “You can be sure insurance companies will go through a business’s compliance meticulously before giving cover,” said Wollen.
There is some hope. Some believe the May 25 deadline will strip away the genuine GDPR experts from the cowboys. “Without a scary deadline, the people with skills and good ideas – new and old – will thrive but the folk who rely on scaremongering will be stuffed,” said Tim Turner, data protection trainer and consultant.
For more on the GDPR, download Digiday’s official guide.