Last year we approached our clients and informed them of GDPR coming into effect on 25th May 2018. We researched the impact this new regulation would have on our clients and devised a sensible approach, and plan to implement across almost 200 websites.
We had a cost-effective solution in place and not one of our clients hesitated in having the relevant changes to their websites completed [We also advised clients on their in-house GDPR requirements] All were grateful for the professional advice given and are more comfortable with their GDPR compliance than previously.
However, it has been brought to our attention that there are ‘Certified GDPR Consultants’ approaching our clients, and others, with warnings of ‘noncompliance’ and ‘illegal references’ to promote their services [at an extortionate cost]
So, we would like to respond to this with an examination of these ‘Certified GDPR Consultants’
Anyone looking for a certified GDPR consultant will undoubtedly see companies claiming to be a Certified GDPR Practitioner.
In the UK the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:
“...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
“…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3
This means that without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO haven't released anything on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.
In the UK the certification framework will involve:
'The ICO has no plans to accredit certification bodies or carry out certification at this time.'
Every new business regulation is seen by certain people as a way to make a quick killing, feeding on companies' fears and uncertainties. GDPR is the same, conflicting and confusing information from the ICO has led to these so called 'certified professionals' to charge companies extortionate prices for their interpretation of GDPR, almost always in conflict with what is already in place.
Do your homework, ask the right questions – what UK Certification do you hold? If the answer is ‘Oh, my certification is from Europe’ or ‘The university of Life’ then maybe you should rethink your relationship with the consultan