Being compliant with the EU General Data Protection Regulation (GDPR) became crucial and mandatory for companies processing personal data, and not every company has the expertise or the time to implement all the requirements by itself, which creates a great market for GDPR consultants.
- Acquire the necessary knowledge and skills through formal education, self-education and attending groups of professionals;
- Find clients (follow industry groups and communities, find job postings or team up with other professionals);
- Build a solid reputation by giving public speeches and writing articles and books.
The market of GDPR-related services grew in the past few years, with various job positions from GDPR consultancy to internal roles in companies, making this a great opportunity for privacy and data protection professionals. In this article, we will go through what’s needed to become a GDPR consultant.
What qualifications do you need?
The GDPR has a multidisciplinary aspect, so the backgrounds of GDPR consultants can vary—from information security to legal to IT or even data engineering. Some courses focused on data protection are also offered in the universities and other academic institutions.
Being qualified as Data Protection Officer (DPO) can certify to your prospects that you have been trained on GDPR compliance and data privacy regulation implementation. The DPO is the key role that is indicated in the GDPR; it is an independent position, whether internal or external to the company, and is meant to be the central point between controller, data subject, and Supervisory Authority (or Data Protection Authority, DPA). Being a certified DPO can prove your skill as a GDPR consultant even for clients who do not need a DPO.
To find out more about the roles and responsibilities of the DPO, see The role of DPO in the light of General Data Protection Regulation.
What skills do you need?
Advising on GDPR requirements and implementation requires strong legal knowledge of this privacy regulation and the decisions by the Supervisory Authorities across Europe that give the current interpretation of the regulation. The evolution of consent, the guidelines on privacy by design, and the procedure to implement a transfer of personal data towards third countries are notions that need to deepen the study of the GDPR beyond the text of the Regulation.
Then, there is the knowledge of information security that can help you advise on how to implement the appropriate security measures. For example, how to draft a recovery plan, or how to deal with a data breach, or how to determine if any software or hardware update is needed. These types of knowledge can make the difference between a strict legal approach and helping your client to reach a balance between costs and the protection of rights that is the goal of the GDPR. Knowledge of ISO 27001, a leading information security standard, can be very helpful for the GDPR – learn more here: How to integrate GDPR with ISO 27001.
As with any consultancy job, even GDPR consultants need some soft skills. In fact, GDPR compliance is often seen as pure overhead cost by companies, and data protection as something that slows down business activity without generating revenue. Therefore, communication skills are crucial in order to make your clients aware of the importance of data protection, even for non-personal data, and a business-oriented mindset can help your clients to estimate a budget in a reasonable timeframe to reach GDPR compliance with the most efficient use of resources. See also: How to perform consulting work remotely.
How to get GDPR competencies
Formal education is one way, but if you are a professional focused on some collateral field (i.e., information security, computing, law, engineering, management) you can self-educate with books, online courses, webinars, and seminars that can integrate your competencies and fill in the gaps.
Then, attending professional groups can help you to learn from other professionals’ experience about different solutions to common problems. Reading Data Protection Authorities’ newsletters and decisions is essential in order to learn from others’ errors and implement solutions that those measures often suggest.
How to find clients
As with many consultancy jobs, reputation and authority in your field are essential. You need to demonstrate your expertise and let people know about you.
Groups and communities on data protection and collateral fields (like software development or web design) may publish questions and requests for GDPR consultancy because of the importance of implementing privacy by design. Such communities are good places to meet clients.
On the internet, you can find job postings for GDPR advisors, both as an internal employee of companies or as an external consultant. There are also marketplaces for professionals that can merge the demand and the offer for GDPR consultancy.
Another way can be to team up with other professionals who may need your GDPR expertise for their own clients. However, in any case, the client will demand evidence of your expertise, so building a reputation is crucial.
Learn more here: How to sell ISO consulting services.
How to build a reputation
Building a solid reputation comes through public speaking and writing articles and books in order to increase your authority in your field. Of course, self-education, training, work, and professional attitude are crucial too. Consultants are hired to represent the best interests of their clients, and when it comes to GDPR compliance, you need to balance the different interests that may arise.
Do not underestimate compliance needs or security measures, but do not rely too much on technical instruments, forgetting internal policies and staff training. As security experts say, the strength of a security system depends on the weakest element, and often this is located between the chair and the keyboard. The ability to guide clients through implementation of the regulatory requirements with ease is crucial to be remembered as serious, reliable, and professional.