The Internet is a risky place for “expertise.” Because it is both a platform and a megaphone, it creates its own multiplier effect for whatever you put into it. If the arguments of the last few years have proven anything, it’s that even a poorly concocted lie spreads far faster than a well-explained truth, largely because the Internet allows for the near instantaneous transmission, repetition, and morphing of an untruth to suit the utterer’s needs, while the pernicious, persistent truth requires you to stick to the script. Fact checking is unreliable, and calling someone to account for being wrong or misleading is, you know, really mean you guys.
We’ve found that the dangers of looking for guidance online fall roughly into two categories: The Trap and the Big Mistake. You can apply the lesson to any subject matter, really, because the underlying risks are always the same, in that someone is either trying to fleece you or someone doesn’t really have any idea what they’re talking about. And for complex matters (like, for instance, with GDPR and its application), the need for expertise increases right alongside the risks of not finding it. It can create a sense of paralysis: if you don’t know that you can trust the advice you’re getting, you don’t want to get advice, and then you either make an uninformed decision or make no decision at all.
To help alleviate the problem somewhat, we want to walk through some steps to help you identify what good advice looks like, what bad advice looks like, and when it’s almost certainly a trap.
Identifying the Traps
The expertise trap can be exceedingly easy to spot. Want to see what I mean? Type “GDPR Advice” in your favorite search engine, and then try to click on the first link. If you’re like me, this is what you get:
Well that sure was easy! Sometimes, a lie is so blatant that even the Internet can detect it. The truth is that browsers and search products both go to great lengths to try to identify risky sites, malware factories, and obvious liars. They, together with regulators like the FTC, look for the worst offenders. But you can’t rely on their ability to filter through the entire Web to find bad actors. Because for every giant red screen warning you, there are plenty of sites with welcoming landing pages.
How can you identify that you’re looking at a deceptive site, then? Critically evaluate what they’re saying. Here are a few warning signs that you’re getting something other than what you’re bargaining for:
1. A promise that they’ll get you GDPR certified, or that they themselves are GDPR certified. There is no such thing as a GDPR certification right now. Yes, Article 42 of the GDPR does talk about granting seals and certifications at some point, but none of the DPAs have done anything much about that, and so “GDPR-Certified” is a sure sign that you’re dealing with a less-than-truthful actor.
2. A guarantee that you’ll be GDPR compliant after they perform their work or sell you their product. We’ve said it before: “GDPR compliant” is a phrase without much meaning, because compliance is an ongoing process, defined both by the actions taken by regulators, the guidance they issue, and the dynamic state of the market and the companies in it. A GDPR compliance program is fine, because it means you’re establishing an ongoing system for analyzing your GDPR-oriented efforts. But a promise of GDPR certification is patently undeliverable, because there is no such thing.
3. A promise of magical technological solutions at a surprisingly low cost. “For $19.99/month, our SaaS platform will provide you all the GDPR coverage you need, respond to DSARs, deal with deletion requests, categorize your data, identify threats, and provide you with sound advice on data protection.” Sounds too good to be true? It obviously, definitively, absolutely is. First, compliance does not have a technological solution, because it depends highly on fact-specific responses to unique circumstances. Slapping tech on a problem is not going to impress a DPA. And second, even if a product could get you close to GDPR compliance, do you really think it would cost twenty dollars a month? Getting ready for GDPR compliance took the average business 3,000 labor-hours of work, and in the aggregate, just preparing for May 25, 2018 cost billions. You can’t expect GDPR compliance to cost the same as your Netflix subscription; anyone who tells you otherwise is just selling you something (namely: not what they’re promising).
Noticing the Big Mistakes
It isn’t just the hucksters that you contend with when it comes to compliance. There are plenty of consultants, lawyers, or other “specialists” who are happy to claim the kind of expertise you need, and who may even believe they know what they’re talking about. This is, in some ways, even more dangerous: the overly confident non-expert providing advice.
To understand the risks here, imagine that you’re a small or medium sized marketing business. You collect data on people in the US and Europe, and you want to make sure that you’re not running afoul of the privacy laws you know about. So you hire a lawyer who claims to know all about privacy, and he tells you not to worry, because, although GDPR is a complicated “notice-and-consent” statute, it doesn’t apply to businesses with fewer than 250 employees. Sounds convincing, right? But it’s still definitely wrong. There’s no exemption for SMBs (although if you have fewer than 250 employees your record-keeping obligations are lower), and GDPR is not, not, not a “notice and consent statute.”
The problem here is that some lawyers (or others) will read one or two Buzzfeed articles (or posts on this blog), pick up a few buzzwords, and then they’re experts. Except, you know, not. The legal profession is awash in people who claim to know everything there is about a topic while actually having only the thinnest cream cheese schmear of understanding. It’s one reason that the rules about who can claim to be a “specialist” or “board certified” are so tough: you have to rein in the bravado to help identify who the real experts are.
So how do you identify the lawyers or others who have the real knowledge as opposed to those who merely pretend? Here’s our advice:
- Does the lawyer or group provide detailed information about their actual experience in privacy and data security? For instance, client names, experience working with regulators, IAPP certifications, ABA-approved specialization? Experience doesn’t always equate to expertise, but it’s certainly hard to gain expertise if you don’t have experience. So ask.
- Do a little research yourself about your question so that you’re not going in to hear someone’s elevator pitch without critical analysis. What do they think are the strongest bases for processing data under GDPR? What do they think of the definition of “household” under CCPA? Can they explain the difference between the HIPAA Privacy Rule and the Security Rule? If you dig a little to uncover some important terms and concepts, you can, and should ask about it. Even if you aren’t an expert yourself, you might be able to spot when someone else isn’t, either.
- Don’t be shy about asking how someone’s expertise applies to your given situation. It’s not uncommon for someone who really does have expertise in a certain topic to behave as though that makes them an expert in others. But a great criminal lawyer isn’t naturally going to be a great labor and employment lawyer – plenty of times, the disciplines don’t overlap nearly enough, and the nuances don’t translate. Ascertaining how your lawyer or your consultant will be able to take their skills and make them work for you isn’t prying or nosy, it’s good vetting, which is what you need.
It’s difficult to find people with the skills and experience necessary to help guide you through the complicated process of creating a privacy compliance regime. But the costs, and consequences, are much worse when you have to restart the process from scratch after a disaster. Due diligence isn’t just about closing deals, it’s about who helps you get to the table to begin with. A good expert is hard to find, but when you do, they make a difference.