During the last months, hardly a day goes for me without receiving offers for services or products related to GDPR. Most of them are either new or the demand for them has dramatically increased. Whether we like this fact or not but we will have to deal with many of them soon.
Some examples are:
In Germany there was already a legal requirement for a DPO if an organization proceeded PII with 10 or more employees. In fact, many small businesses never had a DPO in the past but under public preassure they are now looking for external DPOs lacking internal knowledge or ressources. To find an external DPO with reasaonable knowlege at an affordable rate is very difficult at the moment.
DPO Trainings (caused by the first point)
Formal training and certification as a DPO was there before but expensive and limited to bigger training providers. This market exploded, bringing up offerings ranging from high quality to a complete waste of money. The problem is, that these DPO,s will audit our companies for fulfillment of their privacy agreements in the very next future.
Privacy Management Software (influenced by the first and second point)
Software for the easy creation of privacy management documentation (such as checkliists, data processing records, privacy agreements etc.) was available before but not in great demand. Today you can select from a large number of products. Obviously such a software is not intended to ensure the right controls in place but to support documentation or give some basic ideas about controls.
Cease and desist letters from dubious organizations have always been around, especially in terms of file sharing or for not having a privacy statement on your webpage. Many small organizations or even private people were impressed by these letters and paid them becasue they were afraid of even more expensive lawsuits. After May 25th, I expect a new wave of these attempts benefiting from GDPR panic and lack of knowledge or consultancy.
GDPR compliant clouds
The market of cloud solutions that claim to be GDPR compliant is increasing. Of course it is a good thing to have a cloud solution available, which is not incompliant with privacy regulations by design. Unfortunately there is a large number of companies that estimate everything sorted by such a solution, not considering clients, network access to these clouds and very often their privacy processes.
These are just some topics from this new market in a country that already had a very restrictive privacy law before (Germany). I am really curious to hear from you which good or bad highlights GDPR is causing in countries that are used to completely different regulations.
P. S. I apologize in advance for possible grammar weaknesses - as you can guess I am not a native Englsih speaker
DPO Trainings: there are just too many providers who suddenly proclaimed themselves GDPR experts overnight just because they read the GDPR, or in most cases, read some news articles on it without having an understanding of how privacy law works. These should be avoided at all costs. Instead one should focus on trainings, books or courses provided by those who have a genuine background in privacy, such as those from the IAPP.
DPO: Since you stated that there is a real need for DPO in many organizations, of course the demand means that they cost a little more. If you are getting an external DPO and find it too expensive, why not get an internal DPO instead? Of course an external DPO will charge more since they may be held accountable and responsible in the eyes of the data protection authorities depending on the countries in scope. Laws worldwide vary and in some countries (outside the EU) the DPO may even face criminal liability for non-compliance depending on the severity of the non-compliance. There is no such criminal liability under the GDPR, however the reputation of the DPO may still be at stake and therefore that is a big risk for them bearing in mind they may not have the same visibility as to what is going on in the company as a full-time employee. There are very few individuals with good knowledge of how privacy laws work, therefore it is only fair that they cost a little more. Getting some junior person to save some money may be a big gamble for the company on the long term given the sanctions of the GDPR.