The making of a GDPR Solution (and a TEAM!)

As I come to end of the week, end of the summer and have a long weekend ahead, I'm looking forward to some downtime. But it has been an week of intense business building and I love it. Bit of train travel as well, which is my thinking behind this article about GDPR.

We've heard about getting on the "GDPR bandwagon", taking the "GDPR Express", and not getting on the "GDPR Mayday Train to Fine-land" for a few months, so we now so feel qualified, (certified , no dont go there!! ) to make a few observations about ourselves...and why we (Lartius Group & gdpr360) feel we have a solution that will meet the needs of business's on the journey to becoming GDPR compliant.

Will limit it to 3 in no particular order (believe me there are more.....)

1. Do we provide Certification training?

You will likely have seen vendors selling things like Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”. I too got caught in the eurphoria and took one such course.

Impressed, right? I was, when I passed the Foundation and the Practitioner courses. Unfortunately, it didn't mean a damned thing.

ISO 17024 – Conformity Assessment – General Requirements for Bodies Operating Certification of Persons only covers the “principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons.” and the IBITGQ (International Body for IT Governance Qualifications) are only “dedicated to the provision of training, qualifications and the continued professional development of information security, business resilience and IT governance professionals.”

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself covered aspects of GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

To quote Froud on Fraud "For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

1.“...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;

2.“…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have released nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer."

This has been confirmed by my business partner who validated this by a note we got from the ICO which states ""The position of the ICO is that currently we do not recommend/endorse training providers.

In his words "Accredited would suggest that the ICO has recognised the standard of a particular course - this is in essence making a recommendation. We do not accredit training providers"

Whilst we offer GDPR workshops and training courses like others do, we do not make any spurious claims about accreditation or certification but we do set our standards by comparison with Bar exams on the legal side or higher level professional qualifications, such as TOGAF?, on the process/EA side.

These courses are designed to instruct and inform, not offer useless acronyms.

So if you want to be instructed and informed by instructors with the experience of law and the application thereof and have actually successfully defended legal cases, Lartius Group and gdpr360 can provide this.

2. Do we provide "Expert"ise?

How long do we have to wait for this expert fad to die down? It feels like wherever I look there is a new self appointed expert who is trying to extract money from the masses of people. So-called experts that are trying to convince potential customers to invest in their courses, workshops, gap analysis's and seminars. Don’t get me wrong I’m not anti sales, but I am anti-false hope. I find it very disappointing for anyone to exploit someone’s hopes and dreams for personal gain. I've done it myself (not technologically) and have to live with the guilt every day so I certainly wouldn't want companies to suffer as a result of scrupulous sales tactics.

Like why are IT vendors saying they have software that will ensure GDPR compliancy? I can understand the need to offering these services, but can they really do what they say? NO!

GDPR is not an IT problem, it’s certainly not just a "information or data" security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. So you need expertise in law, IT, security,data protection, and project management.

Every new thing is seen by vendors as a way into your wallets. The GDPR is no different. To quote the greatest book ever, The Bible, "there is nothing new under the sun", so beware....and get yourself some GDPR "expertise", outside just vendors

Which brings me onto the "expert" individual. They do exist. Even within GDPR. Notice the two middle letters are DP; "data protection". Data has been around a long time. However, the rules for how it needs to be "protected" has changed a bit (actually quite a bit), hence the need for expertise in "DP" but also the necessity to understand the regulation, the process, the governance, and so on. So it takes no genius to observe that a one-man band (or two) never gets very big without help , i.e a team and a solution, as even he/she will struggle, even if he or she is an "expert".

And to quote a book "There are exceptional people out there who are capable of starting epidemics. All you have to do is find them." With Lartius Group and gdpr360, you have. very Capable.

3. Do we provide a Solution and/or a Team?

Its the same old story a lot of businesses being scared by lawyers, a few software companies trying to sell a panacea, a few consultants selling "gap analysis", but no putting there arms around and taking the customer on a journey. Sound familiar? Where is the solution, the package, the offering that will guide you toward compliance?

Its been said before. At a minimum, you need:

 a.The Project Manager – This one needs no explanation (see previous article)

 b.The Lawyer – For some reason,some say lawyers should manage the effort. NO, they should take the lead by helping set the goals and objectives. Lead, not manage. Only lawyers are truly qualified to provide proper context, but only Project managers can ensure it all comes together.

 c. The IT Techies, Data/Infosec Guys and the Cyberguys (the delivery team – Where there is technology and data/information, there is a need for security) period.

or

 d. The external partner (all the above)  - to show you where you are, advise you where you need to be, put together a plan to help you get there... (and so on)* and continue.... 

Simply put  NO SOLUTION, NO TEAM , NO COMPLIANCE

Lartius  Group & gdpr360, all of the above is achievable with a solution from a team of lawyers, consultants, and project managers. We wrap our arms around you and begin, continue , and support you on the journey. We use a "proven delivery method" that is begun by a PM and the continued support of lawyers and "expert" consultants we can guide you.

Let us show you how we can help you.

Just saying

N