How to choose an EU GDPR consultant
In the effort to make your business GDPR compliant, you may realise that you and your employees do not have the required expertise. Therefore, hiring a GDPR consultant can be a good option in order to get the needed expertise and to save time.
Hiring the right consultant can be challenging for anyone, and it can end up being either a complete relief or a stressful trauma. Law compliance, in fact, is often associated with bureaucracy, and it is considered to be a waste of time and money, distracting managers and staff from the core business.
In this article, learn how to pick the right person for your GDPR compliance project and which criteria to consider.
GDPR compliance has a multidisciplinary nature; therefore, you will find consultants with various backgrounds, from engineers to lawyers and IT security experts. This can be confusing when browsing consultants’ CVs.
Check for a previous background in the privacy field or in a connected field, such as digital law, data security or IT security, or ISO 27001. None of these types of expertise should imply full knowledge of the GDPR requirements but, if this previous knowledge is merged with experience in the GDPR compliance field, you will probably find a consultant with a good understanding of your needs.
When hiring a GDPR consultant, look for someone who has previous experience in implementing the GDPR. In the last two years, GDPR consultants have gained considerable experience due to the countless requests for GDPR implementation they received by companies at the time the regulation went into force.
You can ask for references to check about previous jobs. Another aspect to consider is to check for previous experience in your industry, because knowledge of your industry can help the consultant to suggest measures that fit better with your workflow.
Checking if your consultant writes articles or books, hosts webinars, or speaks at conferences can give you an idea of his reputation as an expert. In fact, reputation is a key asset for a consultant, as it is built over a number of years. While the GDPR is a recent regulation, data protection and digital law aren’t, so it can be worthwhile to check for previous interest for these topics.
A change of industry, of course, can be challenging for a consultant’s career, and the development of the digital industry brought consultants from other fields to focus on data protection. In such cases, it can be worthwhile to verify the consultant’s reputation in the previous industry, why the consultant developed an interest in the GDPR, and whether he kept track of this change of career with an investment in additional education or he mastered the topic with his own elaboration. Therefore, articles, books, and being known in the consulting environment can give you an idea of his expertise.
When selecting a consultant, you need to balance the cost of his compensation with the benefits that he brings to your company. In terms of the required time of your employees, you need to know whether your consultant will require your company‘s co-operation or will be able handle the work by himself.
Consulting firms are usually more expensive than freelancer consultants who can do a good job and are flexible enough to work with different professionals.
If your company has some of the required expertise (i.e., a good data security staff), you can consider hiring a consultant who has the missing knowledge in order to realise a path to GDPR compliance working as a team. In this case, the time of your employees on the GDPR compliance project should be considered as part of the cost.
Implementing GDPR compliance needs training and can require developing a new way to work with data, so the consultant you are hiring needs good communication skills. Moreover, he needs to be a good listener in order to provide a GDPR compliance project that fits with your company and your workflow.
When selecting a consultant, ask about their willingness to sign an NDA agreement in order to protect information about your company. Your GDPR consultant, in fact, will know confidential information about your data, including how it is stored and protected, thereby knowing the vulnerability of your company.
Risks of hiring a consultant
It is worth taking your time in selecting a consultant who is perfect for your needs. Hiring the wrong consultant can make your GDPR implementation useless or a stressful trauma.
The main risks are:
- not addressing the GDPR legal requirements, resulting in fines by authorities or potential litigation from customers and clients because of their data processing
- implementing complicated procedures that are unfit for your organisation with impacts on productivity and efficacy of work
Consider different options
In this case, you might consider hiring an EU GDPR consultant to revise your internal work, in order to make a quality check, and ask for suggestions as if it were an inspection by the authorities.
Therefore, the required skills and experience would be different because you will need someone who can analyse your company as the authority inspectors would, and who can read and understand your accountability efforts. So, previous dealings with a supervisory authority would be helpful in screening the curriculum and interviewing consultants.
No consultant at all is an acceptable option, too
Knowing your company’s needs is one of the key aspects of hiring the right consultant, rather than the first one you meet or the cheapest one.
In fact, sometimes it isn’t necessary to hire a consultant because there are options for the do-it-yourself approach, with the help of more affordable online tools and expert advice. This way, you have the opportunity to avoid expensive solutions with a potentially precarious ending.
Learn more about how to get compliant without spending loads of money on a consultant in this free white paper: Implementing EU GDPR with a consultant vs. DIY approach.
About the author:
Alessandra Nisticò is a lawyer focused on the GDPR, Internet law, European law, and innovation themes that help companies and persons to orient and defend themselves in the digital world, developing its potential.