GDPR scrambling has spawned a swell of data protection ‘charlatans’
Not every company is freaking out about the General Data Protection Regulation. Some are cashing in, big time.
The widespread hand-wringing caused by the last-minute scramble of businesses ahead of the May 25 GDPR deadline is fueling a cottage industry of GDPR experts and consultants. The sheer number of experts is leading some to see danger that bad advice is peddled about what nearly everyone finds a bafflingly vague regulation. Y2K, after all, saw an explosion of consultants and providers on hand for panicky businesses.
The arrival of GDPR isn’t exactly a sudden shock. Data privacy experts such as Robert Streeter, News UK’s group data protection officer, have long warned others not to take the advice of every so-called expert at face value. But many companies procrastinated in addressing the implications of GDPR, leading some companies to jump on quick-fix, cheap options at the last minute in order to proclaim they’re compliant. But some of these options are either totally bogus or not actually required under GDPR. A quick online search surfaces dozens of different GDPR courses. Some are more bona fide and endorsed by the Information Commissioner’s Office; others are unaffiliated with any official body.
The issue is there are no official GDPR qualifications, unless you’re being hired as a data protection officer — a role defined by the ICO. Otherwise, it’s rather wooly what qualifies one as a GDPR expert. For example, do you need a law degree? Apparently not, according to John Mitchison, director of policy and compliance at the Direct Marketing Association, though it’s preferable.
“The formal certifications mentioned in the GDPR haven’t been created yet, so companies saying they are certified — by who? They can only be self-certified or have had a lawyer check it, but that’s not enough,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe, who has worked on both the media owner and the advertiser side.
One data protection trainer and consultant has posted on his LinkedIn profile: “Data Protection trainer and consultant. Not GDPR certified because nobody is.” Another industry executive added that there are no real GDPR qualifications, but “plenty of charlatans.”
“There are a bunch of people calling themselves experts and doling out shonky advice,” said Dan Wilson, CEO of London Media Exchange. “They won’t be penalized by regulators for having taken bad advice because they’ll still be able to show that they’ve been trying to act in the spirit of the law. The issue is that these companies are going to have to start again from scratch.”
LinkedIn is starting to fill up with cries for help — and dozens have “GDPR consultant” in their job titles. “A small agency we work with has been totally messed around by a supposed GDPR expert, and as a result, they are now just a few weeks to go and need to start again,” read a message on LinkedIn this week.
Part of the problem is there is a serious lack of skilled data protection professionals in the market, which means DPOs are in short supply, and those businesses that don’t have well-resourced legal teams are turning to quasi experts for guidance. In 2016, the International Association of Privacy Professionals calculated that in the U.K., a minimum of 28,000 DPOs would be required in businesses. But a DPO role requires specific technical skills and a deep understanding of data protection, and those are tough to find.
“There is an enormous shortage of people who can be employed as DPOs,” said Wollen. Typically, that’s a problem for smaller organizations that have less resources, though some have opted to share the cost of an external DPO, and others have asked them to merely greenlight compliance work rather than start from scratch, reducing their bill in doing so. But this skills gap has opened up a chasm that opportunists are exploiting.
“That gap is being filled by people who don’t have the qualifications,” said Wollen. “There is a culture forming where you can sit for an online exam and come away with a piece of paper saying you’re certified. These online courses are now being churned out.”
Mixed messages around whether legitimate interest will exonerate businesses from having to ask for consent are also rife, according to sources. But like with all laws, the devil is in the detail, and people are being misinformed by self-proclaimed experts that haven’t done their homework.
“Lots of people are grasping for legitimate interest as a get-out-of-jail-free card, not understanding that one of the biggest questions you must ask is: Does the data subject have a reasonable expectation to use their data? If they have never heard from you and there is no relationship, then how on earth can they?”
Inboxes everywhere are pinging with messages from all kinds of companies, asking people to give consent or simply informing them that if they take no action at all, that will be viewed as consent. One of the unintentional side effects of this panicked consent checking: consumer consent fatigue. The smarter marketers will weed out inactive people in their databases rather than blast everyone in them with compliance messages.
However, these slapdash techniques for compliance aren’t likely to stick. Bona fide insurance companies have gotten wind of the opportunity to provide businesses with GDPR compliance cover, according to sources. “You can be sure insurance companies will go through a business’s compliance meticulously before giving cover,” said Wollen.
There is some hope. Some believe the May 25 deadline will strip away the genuine GDPR experts from the cowboys. “Without a scary deadline, the people with skills and good ideas – new and old – will thrive but the folk who rely on scaremongering will be stuffed,” said Tim Turner, data protection trainer and consultant.
For more on the GDPR, download Digiday’s official guide.
‘Netflix for ears’: How a new serialized podcast is helping BMW shift into branded entertainment
BMWs podcast strategy will eschew sponsorships and advertising opportunities moving forward to focus on producing branded shows.
‘This is a relationship business’: The in-person client meeting is beginning to make a comeback among publishers
After months of social distancing, agency and brand exes are starting to ask for in-person meetings. Many are jumping at the chance.
Member ExclusiveDigiday Research: What return to the physical office looks like for media workers — fewer meetings, less snacks
A new Digiday survey found that for 42% of media industry workers, the company hasn’t said anything concrete about when they’re expected to return back to the office.
SponsoredWhy data clean rooms are a start, but not enough
Clean rooms are intended to be a “safe space” for brands to collaborate with walled gardens, but the greater opportunity for all brands is bringing together all of their data to create a single source of truth that they own and can continually enrich.
What comes next: Looking to the other side of the coronavirus fallout, recession and social unrest
Over the next two weeks, Digiday, Glossy and Modern Retail writers and editors will explore what comes next, beyond the short-term effects of the new normal.
The great reset: How sales relationships and structure will change on the other side of coronavirus
After speaking with eight publisher revenue officers about the future of ad sales, forming new relationships rings out as a common concern.