[johnchristopher]

There's not really such a thing as being GDPR compliant. It's more about being ready when someone will be coming for a privacy related trial or information removal or when the infrastructure will leak data and the national privacy agents knocks on your door and asks "what did you do to prevent it ?".

Best efforts. Except for the GAFA. And public agencies (best best efforts).

Source: working in a public agency and attending a lot of GDPR intro sessions and watching the consultants walking down the corridor.

[colinramsay]

That's interesting, and echoes my understanding, but what would you do when a client says "we want to be GDPR compliant"? I'm not sure saying "there's no such thing" would really wash. Do you have any resources that might help?

[johnchristopher]

It really depends on the kind of business relationship you have with your client and the field you are in. Questions such as "Are you managing data for them ?", "Who does the actual data encoding ?", "What kind of data are we managing", etc., are on the table.

I'd just say what I wrote in the previous post and talk about the DPO, the infosec manager, etc.

What I am hearing and seeing a lot right now is: hire a consulting gig for a few days that will set you up (good practices, business analysis, risks assessment, iso 27000 and 27001 compliance) and then hire a different consulting gig for two days that will be your DPO and make him come back every 6 months or year to show you are doing your best to prevent leaks.

It really does depend on the nature of your field.

The other thing I hear a lot: those UK law firms that sell GDPR consulting certificates ? Don't waste money on that.

I couldn't really recommend any consulting firm, I only know two of them and I am not involved (yet) enough in the process. But basically we (a public agency) went the consulting gig road and share the fee with other agencies.

Oh, and I am not a lawyer of course.

[boffinism]

That's a really helpful description, thank you!