Guide to Choosing a GDPR Consultant

Despite the claims of many, ranging from lawyers to software vendors, there is no ‘Silver Bullet’ to achieve GDPR compliance. the legislation is too far reaching, and is surely the most disruptive new legislation to hit the European business community in a generation.

At GDPR Today, we believe there is considerable diversity required from your external consultants, and much will depend on your industry and activity: a care home has vastly different requirements and hurdles than a recruitment consultant, but all must strive to comply with unfamiliar legislation.


Check the ‘Have I been Pwned’ website and discover if your email address has been hacked. It probably has.


For many, the focus on GDPR appears to centre on data breaches through hacking. It’s high profile, sells newspapers, and it’s something we can all digest as important. Check the ‘Have I been Pwned’ website and discover if your email address has been hacked. It probably has. So, now your I.T. department is consuming your GDPR Compliance budget, and you are left with trying to find a solicitor who will write your specialist policy documents for peanuts. Good luck with that.

Conversely, you are reflecting on the work concluded by ‘The Very Large Consultant PLc.’, and wondering why their ¬£60,000 of fees invoiced for a 20-day study of your requirements has produced nothing but a proposal for more time on site: nothing of substance to show your CEO for all of that expense. A banking client related just that scenario last week.


Their Approach to Discovery

The best consultants aren’t always so eager to invoice you: they want to meet you, and gain a sense of your objectives, your timeframes, internal resources, and to build a relationship. After all, you’re going to be working together for quite some time to come.

If you are still facing a blank sheet of paper when it comes to GDPR compliance, your prospective consultant might offer a GDPR Readiness Assessment questionnaire. Be wary of any such document which can give you much indication from less than 50 questions, such is the scope of the regulation. Will they review your answers for free and offer an initial report? Bonus points for that, and bonus points too if they offer a (deeply) discounted rate for taking control of the survey itself and spending a few days on-site themselves completing the task. Think of these consultants as investing in you.


It’s nonsense, but such nonsense seems to prevail in the legal industry!


Beware of the ‘Silver Bullet’ Merchants

These abound, and they tend to be solicitors, software companies, and IT resellers. ‘Install our software and have instant Subject Access Request results’, etc., or claims that their near-magical set of three or four policy documents will confer near immunity from prosecution. It’s nonsense, but such nonsense seems to prevail in the legal industry!

The Lone Ranger himself would have done well out of GDPR, but the responsible firms recognise that there are often specialist niches which lie outside of their experience. So ask the potential firm for their approaches to:

  • I.T: hardware and¬†software, from anti-virus to document management and beyond.
  • Device management: print management, mobile devices, etc.
  • Legal: do they have the skills to author your policy documents?
  • GAP Analysis and Risk Management
  • Training: staff, management, DPO?
  • Process development: because without processes, your policies are worthless.
  • Proven skills: auditing and assessing for privacy

Give weight to the consultant who replies with honesty and candour, and who suggests they are ready to work alongside third parties who may or may not have been selected by themselves.



The ICO intends to announce options for GDPR certifications in early 2018, and until they do there is no standard other than ad-hoc training. By no means denigrating the IAPP, but the CIPP/E privacy training is not a true international standard. Although quite demanding, the fact that the qualification itself is governed by a commercial enterprise to which membership is mandatory does not alter the fact that it is not a true standard. It is hoped that the ICO will release an appropriate ISO standard and perhaps a KiteMark too, so all consultants have a British standard for conformity. The CIPP/E is extremely useful for a DPO, though, as it does provide a strong measure of their understanding of the legislation.

Qualifications, such as they are for now, aside, your consultant should be able to cite extended experience in the fields of privacy, the Data Protection Act, risk assessment, and records management. An adeptness with software is desirable too, as the investigative data analysis of both your network and connected devices is important.

Your I.T. consultant should be able to conduct an IT Risk Analysis and to certify your organisation with Cyber Essentials, and ideally ISO27001 also.













Why not share this?