At ECOMPLY we are seeing first-hand that the majority of companies outsource data protection to a consultant. This makes perfect sense for reasons we have already discussed in other blog articles. In this article, we will be looking at the different setups that data protection consulting projects have and the types of client-consultant interaction that happen in these projects. You can compare the setup of your business with these types and consider how ECOMPLY can best support it.
Data Protection Consulting
When people speak of consulting, this can mean a lot of things. While some consulting might just be a small number of hours or one-time advice by phone, other consulting could be months (even years) of full-time work contributing to a project. Furthermore, consulting might be limited to small aspects of a business or covering multiple areas or even the entire business.
So first we have to describe what types of projects we are seeing to be common in the data protection consulting business before we can go into each one in more detail.
Occasional Advice
The client might say to the consultant: “We will come to you when we need you.”
In this setup, the client is handling the data protection organization autonomously. The DPO is typically a full-time employee of the client business. Only on occasion, for difficult or contested issues, does the client reach out to the consultant to get his or her advice. The consultant is typically not aware of the day-to-day activities of the client and needs to always get fresh context information.
We are often seeing this type of consulting when the consultant is a lawyer who focuses on giving specific legal advice (in contrast to a Data Protection Officer (DPO) mandate). This setup is most often encountered in large enterprises with dedicated data protection teams.
The contractual setup is usually not “DPO-as-a-Service” (DPOaaS) but rather individual billing.
Supervision in Collaboration
The client might say to the consultant: “We often rely on your advice. Let us decide together.”
Another very common setup is the ‘supervisor from a distance’. In this setup, the consultant has a permanent and recurring interaction with the client and usually holds the DPO mandate. The key element to supervision is that the client has one or more so-called Data Protection Coordinators appointed who handle all day-to-day tasks. The supervising consultant focuses on big picture questions, prioritisation, providing advice and conducting regular audits. As such, the supervisor is well-aware of the data protection organization from the side-lines. One could say that this is the (outsourced) setup the lawmakers of the GDPR had in mind.
This setup is most often encountered in mid-sized organizations with 1000 to 10000 employees where there is enough budget to assign in-house staff but there is still a need to rely on an external expert.
The contractual setup is typically “DPO-as-a-Service” (DPOaaS).
Supervision as Full-Service
The client might say to the consultant: “We need you to take care of everything. Let us know if you need anything.”
Lastly and most commonly, we encounter the full-service consultant situation in which the external DPOaaS consultant is the main actor in the data protection organization. The DPOaaS consultant is the appointed DPO and also handles most day-to-day tasks. On the client side there are contact persons, but often not with complete project knowledge. The client receives regular reports on the work and progress of the consultant.
The contractual setup is typically “DPO-as-a-Service” (DPOaaS), but at a higher price point compared to collaboration.
How each interaction works
Now that we have described each setup, let us inspect what the consultant-client interaction looks like in practice. How many meetings are happening? On-site or online? What documents are exchanged?
Occasional Advice
Because in the ‘Occasional Advice’ scenario the interaction between the client and the consultant happens so irregularly and work items might not be related, the consultant needs complete contextual information alongside every consulting request. The consultant can request additional information if necessary. Results are typically discussed live in person and delivered as a documents package to the client. The interaction starting and end dates are close together.
Supervision in Collaboration
The interaction in supervision consists of regular progress and content updates in a common format. Regularly, the supervisor needs to be able to quickly understand the status quo and grasp what is new. In turn, the client needs to deliver concise and complete reports. Because there are many small interactions over an indefinite period, they need to be fast and efficient. The supervisor needs to judge each work item and he can only judge based on complete information. To save time, the interaction is often online and asynchronous (via email or a shared platform).
The project contracts typically have an automatic extension, running for many years.
Supervision as Full-Service
In this setup, the supervisor cannot rely on receiving complete information from the client. Rather, he has to gather this information himself. Therefore, the interaction consists of the supervisor asking for information and processing it. Once each work item is done, the consultant reports back to the client with regular reports and data protection documentation.
The project contracts typically have an automatic extension, running for many years.
How ECOMPLY supports client-consultant interaction
ECOMPLY as a Data Protection Management Platform connects any interaction that happens between any of the the client(s) and the consultant(s). In the following, we inspect what this looks like in practice.
Occasional Advice
In this setup, the controller information is managed by the controller, a.k.a. the client. As the external consultant may not be familiar with ECOMPLY, it is often not necessary to invite them as users to ECOMPLY. Rather, the relevant documentation can be exported from ECOMPLY and emailed to the consultant. When this happens on a recurring basis, the consultant will become familiar with the consistent ECOMPLY document format. The client has the benefit of being able to easily export any document or information about the data protection organization.
Supervision in Collaboration
To enable an efficient collaboration between the consultant (supervisor) and the client (controller), all involved parties have user accounts on the ECOMPLY platform with full access to all parts of the data protection organization. Through the ECOMPLY platform, consultant and client can collaborate efficiently by:
- Having access to the same information, starting from concise dashboards combined with the ability to drill down
- Having the ability to assign each other tasks,see task progress and communicate with comments
- Enabling asynchronous collaboration where the involved parties do not need to be in the same room or video conference in order to progress.
Supervision as Full-Service
The interaction on full-service mode is the newest addition to the ECOMPLY platform. In this setup, the supervisor is the main user of the ECOMPLY platform. Here, he can handle any of the hundreds of tasks that are part of his duties. Because the consultant is providing a full-service offering to the client, the client does not need nor want to see the details of the data protection organization. Rather, the client focuses on results delivered by the consultant. As such, the interaction with the client consists of these deliveries in the following shapes:
- The system dashboard provides a rich and easy to understand interface on which the client can see the status quo and any open tasks that he needs to do.
- The consultant selectively delivers his results to this dashboard by choosing what the client needs to have or needs to know at any point in time.
- The consultant has an exact understanding of what information the client has and what the state of his documentation is. (This is a key difference to the situation where a consultant emails his results to the client; he has no idea if the client is using current or outdated information or where (and if) he is storing the results appropriately.)
For full-service contracts, the new full-service mode in ECOMPLY is a win-win for the client and the consultant.
The client wants to:
- not have to worry about the day to day data protection tasks
- see that his organization moves towards/stays GDPR compliant
- quickly find up-to-date documentation for various situations
- see the results of the consultants work
- see what he is paying the consultant for
The consultant wants to:
- show the results of his/her work
- appear professional by presenting his work on a very in depth yet comprehensive dashboard
- avoid that the client uses outdated documents
- justify his monthly (flat-rate) fee
ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.