At the time of writing, the General Data Protection Regulations come into force in a month’s time for the European Union. For those who’ve not already been drowned in misinformation, snake oil and sales people spouting the dangers of fines for the past two years, the GDPR gives individuals greater rights and protections over their Personally Identifiable Information. For businesses, it sets out the increased responsibilities which they will have to take when handling and storing personal data. How can you certify your business? Who can you turn to for accurate advice?
Who is qualified to help?
In short, no one can be qualified to certify you against GDPR as there is no qualification. Unlike the Cyber Essentials and Cyber Essentials Plus accreditation which is approved by the ICO, none of the “GDPR Practitioner” courses (typically ranging from 1 to 4 days) are currently backed in this way. The GDPR sets out guidelines to be interpreted by the Information Commissioners in each member country. This means that out of the 342 LinkedIn professionals using “GDPR Certified” in their profiles there is a bit of confusion.
In trying to understand the curious position of these individuals, a search for “Sale of Goods Act Certified” returns zero results. The GDPR is a law, and you can’t be certified to comply with a law. You can’t be certified to be a practitioner of a law. You CAN certify yourself to be compliant with measures within the law as laid down by a governing body. But as of 20th April 2018, there isn’t a governing body authorised by the ICO to provide this accreditation.
If you’re looking for guidance and support, there are numerous avenues available in which you can approach the GDPR. Ensuring that your business is prepared to operate within the new regulations requires a multi-vectored approach; your HR department will have to provide updated contracts and policies which your legal advisors will have to ensure are comprehensive, your privacy statements will need to be updated, your staff will have to be trained and your IT systems will need to be audited, secured and managed to ensure ongoing conformity with these new regulations.
Be wary of the snake oil salesman who guarantees your business’ protection from GDPR for a small fee because of their “Certification”. Just as Health and Safety laws require ongoing actions, whole business involvement, risk assessments and risk treatment plans, so too will GDPR compliance.