What does a compliance consultant do?

Let’s get one thing out there from the get-go. Being a Bulletproof consultant is awesome. I haven’t been coerced to say that. I mean, let’s start with that brand name. How cool is it to say I work for Bulletproof? I have several T-shirts with the logo emblazoned across the chest. Sometimes, I even wear them on a non-work day.

Since starting the role, the most common question I get asked is ‘what exactly do you do?’ Mainly by my friends and family who don’t quite understand what compliancy is.

A lot of people think that compliance is boring, entailing little more than reading long, complicated documents and then going out and telling people about them. The reality is much different. Well, I do actually do those things, but it’s more exciting than it sounds.

I get to travel up and down the UK (and will soon be venturing into other countries once our plans for world domination come to fruition) meeting new people that are carrying out some really interesting work. I attend cyber security conventions (like the IP Expo), and learn new things each and every day. It turns out I occasionally write blogs too.

So, what do Bulletproof compliance consultants do?

Becoming Bulletproof

The world of cyber security is an exciting, ever-changing industry that’s only going to get bigger. There is now so much sensitive data flying about the place, seemingly beyond our control, that it can be scary at times. So, it’s no surprise then that compliance has become a big business too. People are starting to take data protection seriously and rightfully so. The arrival of GDPR is testament to that, adding several other branches of compliance to an already broad and varied area. Bulletproof were already helping businesses become compliant in the likes of PCI DSS and ISO 27001, so naturally, we added GDPR and DPO services to our repertoire.

This of course, meant more reading and more qualifications. The GDPR legislation alone boasted a whopping 88 pages. Other materials around this soon flooded in, along with webinars and all manner of talks. All this reading of course means we get more letters after our names. Among our qualifications we have: CIIP (Certified ISO Implementation Practitioner), GDPR EU F and P (Foundation and Practitioner), BSc degrees in the likes of Forensic Computing, and more. With a Bulletproof compliance officer, you get a wealth of practical experience and a vast amount of knowledge.

But how do we put that knowledge to use?

GDPR Gap analysis

The real test for a compliance consultant comes when you find yourself face-to-face with a client who looks to you for all the answers. If a client asks what they need to do in order to meet the requirements of GDPR’s Article 5, you can’t ask them to standby whilst you frantically Google. We’re the experts after all.

One service Bulletproof provides is a gap analysis. A company needing to meet or maintain compliance with a certain standard need to know where they are in comparison to where they need to be. GDPR has a been a big one in the last few years and my GDPR gap analysis engagements have involved heading out to client sites and speaking with a variety of people. Everyone from frontline staff to Directors need to give various levels of input along the way. Personally, this is my favourite part of the job: travelling and meeting new people.

Once I’m there, I must find out what’s going on, what data is stored and where, what controls are in place, what policies are available to the public and what is in them. We get right down to the nitty-gritty. We have to pick up on anything and everything. Why is that USB on that desk out in the open? What’s stored on it? Is it encrypted? That USB could be what causes a company to be considered non-compliant. In some respects, we could be considered professional pedants, but when non-compliance could lead to extremely hefty fines, it pays to be pedantic. No one wants to live my recurring nightmare of being fined £20 million by the ICO.

Implementation

For some, a gap analysis is all they need and that’s fine. However, there are businesses that need that little bit of extra support. That’s where implementation comes in. In a nutshell, implementation is designed to help create the documents needed to be enforced across a business to help achieve compliance. We can provide advice on what controls need to be in place in terms of security, what policies and procedures should be implemented and even help with data mapping. Just having these documents and processes doesn’t automatically make you 100% compliant, but it certainly gives you a significant push on the way to achieving it.

The scale of the work involved largely depends on the findings of the gap analysis, but I usually end up putting together and providing a combination of:

• A Personnel Information Management System (PIMS) for a business that includes a number of policies and procedures
• DPIA framework, followed by training
• Registers (breach, SAR and asset)
• Risk assessment frameworks
• Data and process mapping

Naturally, there’s a lot of things only members of the business can decide and put together, but by providing the above, it gives them a pretty good starting to point. Combine this with the gap analysis report and you’ll have a detailed and accurate to-do list.

Training

Throughout my working life, I’ve always looked for the opportunity to pass on knowledge. I get a real kick out of seeing someone go on to bigger and better things as a result of the training that I’ve given them. It’s just as well then that part of a compliance officer’s job is to arrange and host training sessions. We can cover a wide variety of topics from GDPR (I know I keep mentioning that, but it’s still new and companies are still struggling to get to grips with it), Cyber Essentials and even general cyber security training.

The key thing for me is, if the trainer doesn’t give it their all, then the trainees won’t get the most out of the session. Our training is upbeat, involved and delivered in ways that help everyone, no matter their position, come out knowing everything they need to know. For training to be effective, it needs to be engaging. When it comes to something like GDPR, Cyber Essentials or other security training, a simple PowerPoint will not be enough. If a customer is paying for a training scheme, I feel it needs to be something different. It needs to be something only we can provide. If it’s just reading through a few work sheets that can be sent as attachments, is it really training?

Data breaches are often caused by human error, and how that aftermath is handled will really impact how lenient the regulatory bodies are going to be. Good training will lower the risk of the former and improve the latter.

Data Protection Officer

A relatively new job that has emerged on the compliance landscape is the Data Protection Officer (DPO). Not every company needs to have a DPO, but everyone would benefit from appointing one. Their role is to manage and oversee all things data protection. They’ll ensure the data is kept as securely as possible, regularly update the relevant policies and procedures, liaise with data subjects (the likes of you and me) and manage any fallout should a breach occur. They will be the first point of contact for anything relating to personal data (of both customers and employees) and will ensure all other staff members are aware of their responsibilities and duties regarding such.

Whilst an existing member of staff can be appointed a DPO (providing there’s no conflict of interest with their main role), or a specific person can be hired to fulfil this role, many companies are finding it far more cost effective to outsource this role. We provide DPO services for numerous companies and ensure we know everything we need to know to ensure peace of mind.

Being a DPO for multiple companies requires a few of things:

• A good working relationship with the business
• An understanding of the business
• Good time management
• A full working knowledge of GDPR and everything data protection

I could go on and on about being a DPO, and we've already written a couple of blogs about appointing a DPO and being a DPO.

Cyber Essentials and other cyber security

On top of GDPR and DPO consultancy, we offer Cyber Essentials packages and can oversee other cyber security projects, such as PCI DSS compliance or ISO 27001. All our services are related in the sense that they’re all about keeping data secure through a mix of technical components, management processes and documentation.

These services do differ slightly in terms of implementation and practice and they serve different purposes. They warrant a blog post themselves, which I’ve already started, so I won’t go into too much detail here.

Full circle

So here we are. Back where we started, with that question ‘What exactly do you do?’

In short, we help companies achieve their goals through an interesting blend of documentation, on-site interaction and training, and lending our technical expertise. We strive to make our engagements interesting, effective and low cost in order to help small to medium-sized businesses get through that obstacle course that is compliancy. Overall, the job of a compliance consultant is very rewarding. It makes you feel like you’ve not only made a difference to that company, but you’ve played a key role in protecting everyone that works for and uses that business.

As you can see, there’s a lot to it. No project is the same and we have worked with businesses from just about every industry. So, if you’re struggling with compliance, be it GDPR or Cyber Essentials, get in touch.

p.s. Yes, that is me in the banner picture of this blog. Hi.