GDPR scrambling has spawned a swell of data protection ‘charlatans’
Not every company is freaking out about the General Data Protection Regulation. Some are cashing in, big time.
The widespread hand-wringing caused by the last-minute scramble of businesses ahead of the May 25 GDPR deadline is fueling a cottage industry of GDPR experts and consultants. The sheer number of experts is leading some to see danger that bad advice is peddled about what nearly everyone finds a bafflingly vague regulation. Y2K, after all, saw an explosion of consultants and providers on hand for panicky businesses.
The arrival of GDPR isn’t exactly a sudden shock. Data privacy experts such as Robert Streeter, News UK’s group data protection officer, have long warned others not to take the advice of every so-called expert at face value. But many companies procrastinated in addressing the implications of GDPR, leading some companies to jump on quick-fix, cheap options at the last minute in order to proclaim they’re compliant. But some of these options are either totally bogus or not actually required under GDPR. A quick online search surfaces dozens of different GDPR courses. Some are more bona fide and endorsed by the Information Commissioner’s Office; others are unaffiliated with any official body.
The issue is there are no official GDPR qualifications, unless you’re being hired as a data protection officer — a role defined by the ICO. Otherwise, it’s rather wooly what qualifies one as a GDPR expert. For example, do you need a law degree? Apparently not, according to John Mitchison, director of policy and compliance at the Direct Marketing Association, though it’s preferable.
“The formal certifications mentioned in the GDPR haven’t been created yet, so companies saying they are certified — by who? They can only be self-certified or have had a lawyer check it, but that’s not enough,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe, who has worked on both the media owner and the advertiser side.
One data protection trainer and consultant has posted on his LinkedIn profile: “Data Protection trainer and consultant. Not GDPR certified because nobody is.” Another industry executive added that there are no real GDPR qualifications, but “plenty of charlatans.”
“There are a bunch of people calling themselves experts and doling out shonky advice,” said Dan Wilson, CEO of London Media Exchange. “They won’t be penalized by regulators for having taken bad advice because they’ll still be able to show that they’ve been trying to act in the spirit of the law. The issue is that these companies are going to have to start again from scratch.”
LinkedIn is starting to fill up with cries for help — and dozens have “GDPR consultant” in their job titles. “A small agency we work with has been totally messed around by a supposed GDPR expert, and as a result, they are now just a few weeks to go and need to start again,” read a message on LinkedIn this week.
Part of the problem is there is a serious lack of skilled data protection professionals in the market, which means DPOs are in short supply, and those businesses that don’t have well-resourced legal teams are turning to quasi experts for guidance. In 2016, the International Association of Privacy Professionals calculated that in the U.K., a minimum of 28,000 DPOs would be required in businesses. But a DPO role requires specific technical skills and a deep understanding of data protection, and those are tough to find.
“There is an enormous shortage of people who can be employed as DPOs,” said Wollen. Typically, that’s a problem for smaller organizations that have less resources, though some have opted to share the cost of an external DPO, and others have asked them to merely greenlight compliance work rather than start from scratch, reducing their bill in doing so. But this skills gap has opened up a chasm that opportunists are exploiting.
“That gap is being filled by people who don’t have the qualifications,” said Wollen. “There is a culture forming where you can sit for an online exam and come away with a piece of paper saying you’re certified. These online courses are now being churned out.”
Mixed messages around whether legitimate interest will exonerate businesses from having to ask for consent are also rife, according to sources. But like with all laws, the devil is in the detail, and people are being misinformed by self-proclaimed experts that haven’t done their homework.
“Lots of people are grasping for legitimate interest as a get-out-of-jail-free card, not understanding that one of the biggest questions you must ask is: Does the data subject have a reasonable expectation to use their data? If they have never heard from you and there is no relationship, then how on earth can they?”
Inboxes everywhere are pinging with messages from all kinds of companies, asking people to give consent or simply informing them that if they take no action at all, that will be viewed as consent. One of the unintentional side effects of this panicked consent checking: consumer consent fatigue. The smarter marketers will weed out inactive people in their databases rather than blast everyone in them with compliance messages.
However, these slapdash techniques for compliance aren’t likely to stick. Bona fide insurance companies have gotten wind of the opportunity to provide businesses with GDPR compliance cover, according to sources. “You can be sure insurance companies will go through a business’s compliance meticulously before giving cover,” said Wollen.
There is some hope. Some believe the May 25 deadline will strip away the genuine GDPR experts from the cowboys. “Without a scary deadline, the people with skills and good ideas – new and old – will thrive but the folk who rely on scaremongering will be stuffed,” said Tim Turner, data protection trainer and consultant.
For more on the GDPR, download Digiday’s official guide.
How entertainment publishers are adapting their coverage
Coronavirus may have upended Bustle Digital Group's, People's and BuzzFeed's editorial schedules, but now the publishers creating new franchises out of the pandemic.
With ad rates falling, Snopes can’t keep up with coronavirus misinformation
Snopes had a 50% increase in traffic over the past 30 days, but dwindling ad revenue and a lack of resources is preventing the company from staffing up to combat coronavirus misinformation.
‘We’re looking at this as an opportunity’: Bloomberg Media CEO Justin Smith’s optimistic scenario for media’s recovery
"I just heard this morning from a colleague that was saying that the first couple of weeks are definitely the most difficult": Bloomberg Media CEO Justin Smith.
SponsoredSurvey: The threats of deceptive ads in 2020
Publishers and advertisers: How are you planning to block, eliminate and avoid deceptive ads in 2020? How will deceptive ads impact the 2020 election? Are you seeing deceptive ads that exploit the coronavirus crisis? Take this short survey and we’ll provide the results.
‘Embracing the imperfections’: The test kitchen is now a WFH kitchen
Tastemade, Meredith and the NYT Cooking grapple with what remote working will mean for their production schedules.
Member ExclusiveMedia enters the realm of unknown unknowns
In conversations with several media executives in the past 10 days, we are now firmly in the grip of the known unknowns and unknown unknowns.