27th February 2019
[Disclaimer] We are in the business of protecting clients’ interests and make no apology for the strength of the message in this blog entry.
As most of our regular readers know, our blog posts are usually feedback led, meaning that we respond to the feedback we receive from both our team in the field and from our clients’ own experiences both good and bad.
In today’s blog we are focussing on the ‘industry’ that has grown up around GDPR and Data Protection compliance and as with so many other things, the message seems to be, buyer beware.
We deal almost exclusively with SME businesses and keep a close eye on our fee structure to ensure we are competitive, as a result. However, we are becoming aware of an ‘industry’ which has sprung up around data protection advice. There are some good and experienced Companies, obviously but we are receiving reports of GDPR ‘advisors’ with little previous experience of giving binding legal advice, who are charging small businesses high fees both initially and on a recurring monthly basis.
To create some context, in our own case, Clients report that the free introductory advice we offer along with a free written report on the current state of their business is the ‘best thing’ they’ve had from a Law firm in a long time. Well, no surprises there but when they discover the Data Audit for SMEs is just £250 and the whole package usually comes in under £1500 not to mention free annual membership of S.H.I.E.L.D. to demonstrate their compliant status, we usually shoot straight to the top of their Christmas card list.
We have recently encountered two clients who had paid out several thousand pounds and when we checked, their compliance was not even close to being satisfactory, one of them still referenced the 1998 Data Protection Act in their ‘GDPR Statement’ and neither had been provided with written hard copy documents for the office.
Because we need to keep this reasonably short, we will focus on the upper end of seriousness but of course all prospective clients to any organisation should be asking questions about their experience, previous clients, testimonials etc.
The most serious matters in data protection revolve around planning the protection of the organisation and effective breach activity should errors occur.
These matters are supposed to be addressed by an organisations Data Protection Officer (DPO) if they have one. There seems to be very many organisations offering to be an external DPO for businesses. This is the most serious of the data protection roles and experience and ability need to go hand in hand.
Generalisations by their very nature are always non specific but we would strongly advise anyone being offered DPO services to consider the following, very carefully.
1) The vast majority SMEs DO NOT need a Data Protection Officer.
2) A DPO by definition needs ‘an expert level’ of understanding of European data protection law and a variety of IT skills or at least access to them.
3) It was originally envisaged that every DPO would be a qualified lawyer. Thankfully, this has not proved necessary but it is still often observed that an understanding of legal constructions and interpretation, which means at least some legal training, is an absolute must.
4) A DPO must have access to the highest level of management within an organisation, they must be able to coordinate between, often conflicting interests, in an organisation and have both the authority and credibility to prevail over even the most senior staff (CEOs included).
5) Externally appointed DPOs have the same level of responsibility and accountability in Law as in house ones. However, Professional Indemnity Insurance to cover bad advice by unqualified ‘Consultants’ is virtually impossible to obtain.
NB: A DPO whose qualifications are only a ‘downloadable’ short course or even one lasting a few weeks in ‘data protection matters’ will get no quarter in court when the prosecution Barrister gets on their feet. There is no acceptable defence along the lines of “Well, I did my incompetent best, Your Honour”.
For free initial advice and a free written report on your data protection status, from an experienced lawyer, visit www.transitionlawshield.com.