So you think you're a GDPR consultant?

It seems every man and his dog has jumped onto the GDPR bandwagon. IT people who were, up until last week, shifting boxes of routers are now re-invented as 'privacy ninjas'. I've seen solicitors warn healthcare providers that they cannot continue processing health information because of Article 9. Even Business Gateway in Scotland have produced advice warning small businesses that they must 'get consent for everything'.

I have personally been working with personal data since 1997. From operating as a Data Protection Officer to architecting technical infrastructures that supported a privacy-first approach - I have been required to have a sound working knowledge of all of the principles of Data Protection, subject rights, e-Privacy rules and Information Security.

Although the core principles behind the GDPR have been around for a lot longer than that, this hasn't stopped people preaching that it's a 'whole new approach to data protection' - often with a consistently incorrect message:

• That you're going to need to get consent to do anything.
• That you should expect huge fines that will destroy your business if you don't.
• That the new rules about X are somehow unjust or unfair - when X has been illegal around for 15 years.

This isn't a complaint about new people coming into the industry - new blood is both a good and a necessary thing. It's just that poor advice from those who are well-intentioned but badly-prepared harms everyone.

Read the flaming manual

The GDPR isn't rocket science. As regulations go, it's only 88 pages - and the really important stuff for small businesses can be found on pages 32 to 53 - Articles 1 to 34. I strongly advise all my clients to read it because I firmly believe that many consultants haven't, and I also believe that knowledge is power.

Data Protection challenges are not solved by rumour and mis-information - they are solved by having a complete knowledge of the subject in hand and of the options that are available to you.

Business owners - especially small business owners - generally know how their business uses data, and are hence are well positioned to make informed choices - even if they need some initial orienteering and a good 'steer' in the right direction.

If the ICO come knocking, a hastily drawn up retrospective list of excuses attempting to justify what has just happened or how you came by the data that was just compromised won't wash. Ample preparation with good research, some well reasoned logic and exemplary documentation - all completed before the event - will go far to mitigate any enforcement.

Be sensible about the fines

There is a movement - especially amongst 'solutions' providers - to tout gear which 'solves' the GDPR problem. That's fine - if they work. And cover everything. All of the time. The problem comes when one time it doesn't and the ICO come knocking to discover that you've done absolutely nothing else to prepare for the GDPR save buying a box or a piece of software.

Invariably - these solutions are touted alongside large banners, warning of fines of "over ￡20 million" and hinting that buying the product will 'save the business'.

In 2016 / 2017 the ICO concluded 17,300 cases and just 16 of them resulted in fines for the organisations concerned. Furthermore, they have yet to invoke their maximum powers under the 2010 regime. The ICO has been at pains to point out that any monetary penalty under the GDPR will be "effective, proportionate and dissuasive, and will be decided on a case by case basis."

Scaremongering does not help anyone. It's also a lousy way to sell a product.

Know your limits

There is an unwritten rule in aviation. After 100 hours of flying you think you know everything. After 1,000 hours you know you don't. After 10,000 hours you finally realise you never will know everything.

No-one will be critical if you don't know an answer but then make every effort to find out.

Not just any old answer - try to make it a good one. A definitive, researched, considered answer which includes all of the nuances one might expect from something which is principles-based like the GDPR. Your clients will thank you for it. Your profession will thank you for it when you share it on Linked In. You will learn something too. Win:Win.

Move off compliance

No-one is going to be compliant by Friday May 25th, 2018. With all the necessary advice and guidance still not written, zero case law and political, economic, social and technical landscapes in a constant state of flux - the best anyone can hope for is damn good preparation. Even without the details, it's perfectly possible to get your house in order. And, to be fair, even without definitive guidance, most of us can guess the direction of travel... all good marketing will require consent in the future, and transparency will require that you name and shame those 'selected partners'.

When Elizabeth Denham spoke of May 25th at the recent Data Protection Practitioner Conference, she called it the start of a journey, not the end. Getting prepared for that journey is what counts.

Take the European view

I have been fortunate to have spent around twenty years working on projects that have deployed right across Europe and beyond into China, the US, South Korea, South Africa, India and more. It has allowed me to see how different cultures view Data Protection.

I have had many a discussion with a client who would insist that Data Protection does not apply to their European client's business contacts, or that an inability to restore from backup would not be classed as a breach. The discussion usually ends with my client naming and shaming me in front of their client on the next conference call, only to face an embarrassing climbdown when it transpires they were very wrong.

Different cultures feel very differently about data privacy. In particular, a UK citizen might think very differently to a German one. Recent history in Europe has not been great - genocide, ethnic cleansing, forced euthanasia, political turmoil, concentration camps, and domestic surveillance - personal data falling into the wrong hands could literally mean the torture and death of a close friend or relative.

Article 9 of the GDPR is basically just a list of Europe's most notorious 20th Century atrocities, which is why no ordinary businesses are supposed to be processing this information. Understand why it's there and what it means. This means you'll also need to read the UK's Data Protection Bill which includes many derogations that you will need to read and understand in order to make the GDPR work in the UK.

Stop blaming the GDPR...

The GDPR doesn't exist in its own bubble - other terms and conditions apply. If you are using data for marketing purposes, then the Privacy and Electronic Communications Act (PECR) will apply. If you are collecting CCTV images - then you will have to comply with the Protection of Freedoms Act (POFA), amongst others. Being lawful (principle one) also requires you to be lawful in its wider sense.

As consultants - we must understand this, and we must be careful not to blame Data Protection when other laws come into play. Clients that don't fully understand their legal obligations are far more likely to make poor, possibly illegal, decisions moving forward.