Outsourcing GDPR compliance: Avoid the common pitfalls

By |2018-12-10T11:11:37+00:00November 2nd, 2018|Categories: B2B, GDPR|Tags: , , , |

In a previous article, I discussed the factors you should consider when deciding whether you want to work on your GDPR compliance in-house or outsource it.

If outsourcing is the better option for you, there are a number of good legal or consultancy businesses who can lead you over the line.

I have a few suggestions to help you pick the best option for you and to help you avoid the common pitfalls.


Knowledge + Implementation = Compliance

As I mentioned in my previous article, I think there are two key things needed to become compliant:

  1. Data protection knowledge
  2. Project implementation experience.

Ensure the people you will be working with have certified knowledge of data protection, and experience running projects that have applied the theory to the real world.


You’re not a school

Watch out for consultancies using your business as a training ground for their employees.

Ask about the qualifications and experience of those who will actually be working on your project, not  the people involved in the sales conversation.


Outsourcing the work does not outsource the responsibility

Outsourcing the work does not mean compliance is now someone else’s problem.

Compliance will always be your responsibility.

If they get it wrong, you will be held responsible.

You will need to be involved throughout the project – You need to know what they are doing and why. You need to be comfortable with their decisions.

Ask about how their approach will enable you to remain informed throughout the process.


How do you eat an elephant? One bite at a time

It’s very difficult to keep on track when a project has multiple streams, with deadlines that are months away.

Wherever possible, break the project into bite-sized chunks.

Small chunks are easier to digest.

Each chunk should have a clear set of deliverables (a fixed scope) so everyone is clear what ‘finished’ looks like for this chunk.


Hourly billing is not the only option

I’m not a fan of the hourly billing model for a whole range of reasons that I won’t detail here.

Hourly billing is like taking a flight where the airline charges you per minute of flight time, with the final cost only known when you land.

Would the airline be motivated to get to your destination as quickly as possible?

A fixed-scope chunk should also enable you to get a fixed cost for that chunk.

A fixed cost enables everyone to focus on completing the chunk:

  • You won’t be watching the clock – You can focus on getting the job done.
  • Your consultants won’t be messing about – They’ll be focused on getting this done and ensuring you are doing your bit too. Their livelihood will depend on it.

I hope these recommendations help you select the right outsource provider for you.

If you would like further help to identify how you can outsource this work, I’d be delighted to talk to you.

Click here to get in touch.

About the Author:

Hi, I am Sam Glynn of Code in Motion. I hold various data protection certifications (CIPP/E, CIPM, CDPO) and regularly train future DPO's on behalf of the IAPP. I help businesses that are struggling to comply with data protection rules. I provide pragmatic guidance using plain English.