The GDPR Gravy Train
Mike Martin LLM Information Rights Law
Data Protection Consultant, Auditor and Trainer
A very good friend of mine, a well respected and distinguished attorney from the other side of the pond, sent me a message the other day which got me thinking. He was quoting a post from a Chief Information Security Officer at a respected multi-national company, it said:-
"It is amazing how many 'GDPR experts' are appearing daily and blind contacting me on Linkedin - I love getting to talk to experts, but it is a real shame everyone is using that term these days - can you be an 'expert' in this area when 3 months ago you were in an entirely different area and have no legal or privacy training?"
I, and my colleagues are very experienced in this area and have spent decades putting theory into practice, studied the subject and often scratched our collective heads wrapping our grey cells around the nuances of case law, but I would never label myself an 'expert'.
At the Griffin House Consultancy we prefer the term 'specialists' as the term expert implies we know everything, which is quite simply impossible. There are some recognised industry experts such as Peter Carey who we all respect and whose knowledge and guidance we call upon daily, but few people can really call themselves experts.
So, what is my point?
This is a call to action. We are desperately short of data protection and compliance professionals, and need quality well trained individuals to help guide organisations through the minefield that is the GDPR;
Practitioners: Simply regurgitating the guidance on GDPR found on the ICO website or from other public sources is not understanding. It may be sufficient to help your own organisation prepare, but if you are going to advise clients and guide third party organisations you need to understand the background to the law, associated legislation, how to perform accurate and robust risk assessments, know what the legislation means as well as what it says. And, appreciate the landscape is in a current state of flux, what you think you know today may change tomorrow - be inquisitive and ready to embrace change.
If you are going to offer services as an 'Expert', please do not just rely on a 6 day residential practitioners course, regardless of how excellent the content; being a compliance professional is about so much more. Please do not misinterpret my message, I want to encourage more passionate and talented people into this industry, and I am not degrading experience; someone working in the industry self-taught is just, if not more capable that a fresher with a University education.
In fact that is my story, but to protect yourself and your clients you need a wide and deep knowledge to help and guide them appropriately.
Organisations: If anyone uses the term GDPR expert, ask questions, what experience do you have? what training? what qualifications? reference sites of previous work? Getting poor quality advice will potentially cost you more than just time and resources.
Do not be tempted to accept the advice of an 'expert' because it is what you want to hear.
A professional will always tell you what you need to know, not what you want to hear.
The GDPR Gravy Train has already left the station and is gaining momentum. I welcome on-board all those with a genuine desire to help promote best practice, raise standards and offer honest, ethical and quality services to their clients.
I just hope those seeing an opportunity to make a fast buck will not tarnish the reputation of those of us trying to do our best for our clients.
The GDPR is the General Data Protection Regulations - the new EU wide data protection legislation due to become law in all member states on 25th May 2018
Innovation and Growth Specialist at Newable
6 年Totally agree with your views. I am one of those people who have recently become a GDPR practitioner and wish to forge a new career in privacy and compliance. However, having done the usual accreditations does not make me an expert. I do recognise I now need to build on my base knowledge and get some experience. I have contacted countless companies offering my services for free/min wage to get the necessary experience doing some of the laborious tasks etc. but not one has expressed any interest. I even wrote to the ICO. I am thus stuck in a 'chicken and egg' dilemma. There should be an apprentice scheme whereby having got the accreditation you are placed with an organisation to gain the relevant experience.
Cybersecurity/Privacy Legal Professional
7 年Excellent post, Mike. From the other side of the pond.
Principal information architect & diagnostician at Ripose Pty Limited
8 年Is this another case of confusing the reader with an implicit acronym? With my apologies to the author, I will assume the author meant to explain the meaning of the acronym but somehow forgot to. As far as I am aware GDPR is the acronym for 'general data protection regulations'. If this is the case (and please do not berate me by saying 'everyone knows that') I will proceed with my comment. If not then please ignore the rest of my comment. Perhaps someone had better create a GKPR - general knowledge protection regulation. If you want to protect 'data', you had better learn from whence data emanates. Data is an implicit artifact encapsulated within the logical realm of the implicit information artifact which is the overarching artifact of all artifacts. Knowledge is a set of explicit artifacts encapsulated within the conceptual realm of the information artifact and is the source of every data element. Without knowledge every data architect is condemned to use the implicit (inaccurate and imprecise) 'rules of normalisation' (1960 - 1974) as developed and taught by the late Edgar Codd (2003) and incompletely expanded by the collaborated work of the late Raymond Boyce (1974). If you do not believe me that these rules are implicit, read Codd's 12 Rules and I insert a quote from the Wikipedia (to save the reader having to use a search engine) which states "Codd's twelve rules[1] are a set of thirteen rules (numbered zero to twelve) proposed by Edgar F. Codd, a pioneer of the relational model for databases, designed to define what is required from a database management system in order for it to be considered relational, i.e., a relational database management system (RDBMS).[2][3] They are sometimes jokingly referred to as "Codd's Twelve Commandments". It is easier to write protection algorithms for 300+ explicit knowledge classes than it is for thousands of implicit data elements. Having a knowledge model of an enterprises information requirements provides a navigational map to to the enterprises overarching data needs (ie knowledge) and hence provides a security blanket for data. Just for the record I created a GKPR and wrote an artificial intelligent compiler to store and manipulate 'knowledge' back in 1990. Regards From the pen of a 45+ year veteran in the domains of business-information/conceptual (objectives, knowledge & strategies), information-projects/logical (data & applications) & implemented solutions/physical (databases & computer coded applications)
Senior Business Analyst at Secure Trust Bank
8 年There are no tools to enshrine data privacy governance and accountability into every employee who handles personal data. The regulators are expecting a step change in the way organisations approach how they design and deliver their services. Issues of lawfulness, fairness, consent, legitimate interest all fly straight into the fan unless we all know and understand the implications of our day to day actions.
Board and C-Suite advisory expert on Technology , Digital Transformation, IT Security and Cloud Computing
8 年Greg Clarke and I were discussing this today as the new Y2K .. this article crystallises the hype around GPDR vs the real agenda of improved data protection