[colinramsay]

That's interesting, and echoes my understanding, but what would you do when a client says "we want to be GDPR compliant"? I'm not sure saying "there's no such thing" would really wash. Do you have any resources that might help?

[johnchristopher]

It really depends on the kind of business relationship you have with your client and the field you are in. Questions such as "Are you managing data for them ?", "Who does the actual data encoding ?", "What kind of data are we managing", etc., are on the table.

I'd just say what I wrote in the previous post and talk about the DPO, the infosec manager, etc.

What I am hearing and seeing a lot right now is: hire a consulting gig for a few days that will set you up (good practices, business analysis, risks assessment, iso 27000 and 27001 compliance) and then hire a different consulting gig for two days that will be your DPO and make him come back every 6 months or year to show you are doing your best to prevent leaks.

It really does depend on the nature of your field.

The other thing I hear a lot: those UK law firms that sell GDPR consulting certificates ? Don't waste money on that.

I couldn't really recommend any consulting firm, I only know two of them and I am not involved (yet) enough in the process. But basically we (a public agency) went the consulting gig road and share the fee with other agencies.

Oh, and I am not a lawyer of course.