Top Tips for Choosing your GDPR consultant

With the introduction of new data protection legislation fast approaching, many organisations are sourcing outside expertise to help them reach GDPR compliance. In a world where most hadn’t heard of GDPR a year ago, there are now many businesses offering GDPR services and products. So how do you sort the good from the bad, and decide who entrust with such an important task?


Barrister and GDPR specialist Orlagh Kelly offers some advice on what to look out for in your GDPR consultant.



GDPR is first and foremost legislation. If you’re seeking to understand the impact new legislation has on your business, who do you usually ask? Legal experts. Look for GDPR advisers who have a deep knowledge and experience of data protection legislation and case law. Not just the new legislation, but the Data Protection Act 1998 too. Such are the complexities of the GDPR legislation you need someone who can interpret legislation easily, and translate how it applies to your business. 



GDPR brings ongoing obligations and liabilities, similar to health and safety or anti-money laundering legislation. Your GDPR consultant should be someone you can depend on going forward, rather than a short term solution. Look out for a partner who can safely guide you on the legislation, perhaps for years to come.



Should you suffer a data breach you will enter the difficult and draining scenario of being investigated by the Information Commissioner’s Office. A good GDPR partner will be able to defend your business for you. Having worked closely with your organisation and helped implement your GDPR compliance project, your consultant will be informed and able to launch your defence. Before you choose your consultant ask yourself if you are satisfied that they could advise and represent you if needed.



Last but not least, be wary of GDPR ‘experts’ who work hard to create the impression they have GDPR ‘expertise' as a precursor to selling. The publicity around GDPR has lead to many companies jumping on the bandwagon, providing GDPR ‘expertise’ as a sales tool, scaremongering clients into believing they can only achieve compliance through purchasing their products. In most cases it is possible to achieve compliance whilst working with an organisation’s existing systems, so if you are being given the hard sell, tread very carefully. The perfect GDPR consultant comes from a data protection background


Greetings from our Guru

At Briefed we are very excited to let you know that our founder and #1 data protection specialist, Orlagh Kelly, will be discussing the GDPR issues that matter most to you and your business in her informative new column, the GDPR Guru, live now on

In order to help you to reach GDPR compliance we need to know the data protection issues that are concerning your business. To pose a question to Orlagh or suggest a topic for discussion, email or complete our contact us form.

In the mean time, here's some information about how one of Northern Ireland's top barristers made the transition to GDPR Guru, helping hundreds of businesses to meet their data protection obligations along the way... 

1. How did a barrister become a tech entrepreneur? 

I always dreamed about a becoming a lawyer. I saw an episode of Perry Mason when I was a child and fell in love with the idea of court work. I really wanted to fight for people who couldn’t fight for themselves.

At 25, I was called to the Bar and found myself self-employed and tasked with building my own practice. But it went well - I established a successful family law practice, handling over 200 cases a year as one of the top-earning family barristers in my jurisdiction.

Since childhood I have dreamt of a career as a barrister. I saw an episode of Perry Mason and fell in love with the idea of court work and of fighting for people who couldn’t fight for themselves. From that day my commitment to my goal was unwavering - I wanted into the courtroom and I wanted to get there fast.

I was called to the Bar aged 25 and having never considered running my own business I found myself

self- employed and tasked with building my own practice. 8 years on I had established a successful family law practice, handling over 200 cases a year as one of the top earning family barristers in my jurisdiction. But the practicalities of running my own business were holding me back - I was overrun by paper work and had no way in which to market myself effectively and grow the business. I knew the answer lay in technology and with no practice management tools available for barristers I took the daunting step into the world of tech and set about developing one myself. And so Briefed was born.

It became clear that one of the key advantages for barristers using the platform was the ability to easily increase their data security. I realised that businesses needed access to a range of products and training in order to meet their data protection and GDPR requirements, a need that no one was satisfying. Hence, Briefed has evolved into a business, not only offering the original case management system but which services companies on every step of their compliance journey, through our e-products and training and our consultancy services. 

The two sides of the business go hand in hand. The knowledge and understanding we gain from working with organisations and learning about the practical challenges presenting from GDPR, shapes and informs our online offerings, ensuring a relevant product designed to truly up skill the user.

2. What was the biggest lesson you learned in different acceleration and incubation programmes? 

It’s very easy to assume everyone else knows what is best for you and your business. Early on, I was encouraged to aim for a Silicon Valley-type business with hundreds of employees and investors, but in reality that wasn’t my personal goal. I’m very happy now with what is a high-quality business with a prominent brand in the UK and Ireland. Over time, I learned to trust in myself and back my own judgment.

3. If you could go back in time, what advice would you give to yourself in the run up to the launch of Briefed? 

I’ve gained a lot from the Lean Startup Methodology. It’s a scientific approach to testing target markets and understanding the appetite for a product prior to development. As the revenue required for development is generated through sales, this way of working can reduce timescales and the need for outside investment. Had I worked with this methodology from the get-go, I could have brought the original Briefed product to the market faster and at less expense.

Read more at 



Sophie Seaton
First things first - what actually is GDPR?

“The General Data Protection Regulation or GDPR as it is commonly known, is updated data protection legislation that mandates how organisations handle personal data. 

Personal data is anything from which a person can be identified, such as an IP address, an email address, a bank account number, even a Facebook profile page or library card number. If your organisation processes personal data of any kind, you need to ensure that you are compliant with GDPR by the enforcement date of 25 May 2018.

Failure to comply will have major consequences, including:

  • Monetary fines
  • Public recognition of the sanction and subsequent damage to reputation
  • Criminal prosecution.

Are these consequences that your organisation could survive?

To hear more about how we can help your business become GDPR compliant, visit


Penalties - Payments, Press and Prosecution

“It has been widely publicised that the penalties under GDPR are much more severe than under the Data Protection Act 1998. The penalty which has received the most coverage is the monetary fine, issued by the ICO. Currently the ICO has the power to issue a fine of up to £500k. Come 25 May 2018, under GDPR, the ICO will have the power to issue a fine of up to £17m or 4% global turnover, whichever is higher.

Secondly, and a penalty which I have found to be much more costly for businesses than any fine, is the publicity the ICO is allowed to generate relating to your sanction. When sanctioned, the ICO will issue a press release, detailing your breach and the sanction they have imposed upon you. Current customers will hear about the data breach, potential customers will hear about the data breach, competitors will hear about the data breach. The impact on the sustainability of your business can be catastrophic.

Thirdly, the ICO have the powers to issue criminal proceedings against your organisation for failure to comply with the legislation. And you could find yourself in court again, being sued by the data subjects for failing to protect their personal data. 

Do you think your business could survive these consequences?

To find out more about how we can help your organisation become compliant with GDPR - visit”.

Does Brexit mean Brexit?

“Since the Britain voted to leave the EU in June 2016, I have continuously been asked this one question - Can we ignore the GDPR because of Brexit?

The simple answer is NO.

What most people do not know is that GDPR legislation is already in force in the UK. We are currently in a two year grace period until 25 May 2018, at which point GDPR will be enforced in the UK. On this date we will still be a member of the European Union and we will need to abide by EU law. 

Additionally, any business selling goods or services into Europe or monitoring the behaviour of EU citizens needs to be compliant with GDPR, regardless of their global location. This includes organisations as far afield as the USA or Australia, or most importantly for you and I, organisations in the UK.

If you have been ignoring the GDPR under the belief that it would disappear due to Brexit then think again. You need to consider your data protection obligations under GDPR and you need to consider them now. 

For information on how we can help you on your journey to GDPR compliance, visit”.


The rise of the Data Protection Officer

“The GDPR requires that an entity appoint a Data Protection Officer if they are:

  • A public authority
  • An organisation which carries out large scale monitoring of individuals, such as online behavioural tracking
  • An organisation which carries out large scale processing of special categories of data or the processing of criminal offences.

The GDPR defines special categories of data as personal data that reveal the following about an individual:

  • Racial or ethnic origin
  • Health conditions
  • Sexual activities
  • Sexual orientation
  • Political views
  • Membership of a trade union
  • Genetic or biometric data
  • Religious or philosophical beliefs.

If you process any of theses categories of data on a large scale, then you are required to appoint a Data Protection Officer. 

The one caveat on this, is that as of this point, September 2017, there is no clarification as to how large scale will be categorised. Data protection specialists, including myself, are awaiting guidance from the ICO as to how this will be classified. 

However, regardless of the boundaries that the ICO decide upon, my advice would be - if you are an organisation that would suffer greatly from a breach, in terms of fines, or repetitional damage, then you should consider appointing a designated Data Protection Officer. It is safer for you and your customers to have someone with the appropriate expertise ensuring your compliance obligations are being met on an ongoing basis.

If you want to here more about how Briefed can help you on your journey to GDPR compliance, please visit”.


Mis-sent emails and cyber attacks - the many faces of a data breach

“When most people hear the term data breach they think of a large scale hacking by foreign cyber criminals but, in reality a breach can come in a much more mundane and simple form.

Under GDPR a data breach is defined as - ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data, transmitted, stored, or otherwise processed.’ 

But what does this mean for you and your organisation?

Here are some previous examples of fines issued by the ICO. It is worth remembering when considering these fines that these were issued under the previous legislation with fines capped at £500k. Under GDPR the ICO will have the power to issue fines of up to 34 times higher!

  • A solicitor sent an email to the wrong person - fined £120k
  • A social worker left papers on a train -  fined £70k
  • A filing cabinet was sold containing old files - fined £185k
  • Medical records were left in a disused building - fined £225k
  • A report was posted to a wrong address - fined £60k
  • A memory stick was stolen from a staff member’s home - fined £150k.

Along with each of these fines the ICO issue a press release, publicising your sanction. The combined monetary and reputational damage can have serious repercussions on the sustainability of a business, in some cases leading to business failure. 

To hear more about how we can help your organisation to become GDPR ready and avoid the penalties associated with non compliance, visit”.


Why, why, why? The reasons for GDPR.

“I am often asked why we need the new GDPR and why we can’t continue to operate under the Data Protection Act 1998?

The Data Protection Act is based upon data protection legislation, first laid down in 1995. At this point I would ask you to think back to your life in 1995... What technology did you regularly use? The internet was not widely available. Hardly anyone had a mobile phone. Phone numbers were written down in address books. Photos were developed. Holidays were booked on Teletext or Ceefax. The amount of data you shared was limited.

Now think about your life as you live it today. How many apps do you have on your phone? How often do you open these apps and what activities do you use them for? Do you buy goods or services? Do you pay bills or check your bank balance? 

The way we use and share information has altered exponentially in ways we could never have envisaged in 1995.

Quite simply the DPA 1998 is no longer fit for purpose and the GDPR is updated data protection legislation, designed to ensure the safety of personal data in our modern, technological world. 

To find out more about GDPR and how we can help your organisation become and remain compliant, visit”. 


Procrastinate at Your Peril

“I often get asked by businesses if they can wait until after the GDPR enforcement date, 25 May 2018, to consider their GDPR obligations. My response - ‘would you wait until the day after an exam to start your revision?’

GDPR is already in force in the UK. We are currently in a two year grace period which Government has given to allow organisations to ready themselves for the incoming regulations. It is expected that when the regulations are enforced on 25 May 2018, your organisation will be compliant.

There are two key actions I would recommend for any business beginning their compliance journey:

  • Perform a GDPR gap analysis - analyse how your business measures up to GDPR requirements and what work needs to be done to bring your data protection activities up to speed
  • Train 100% of your employees in data protection - the ICO mandates that all staff are regularly trained in data protection. Not only will training ensure you meet this regulatory requirement but the knowledge your staff will acquire will play a major part in protecting your organisation against a data breach.

To find out more about the Briefed portfolio of services, including gap analysis and training, please visit”.


GDPR Ob-BLOG-ations

Hi, I am Orlagh Kelly, data protection barrister and founder of Briefed, GDPR Compliance Specialists.

I have spent the past 5 years training organisations and individuals across the UK and Ireland on their data protection obligations. Over the past year, I have encountered a lot of uncertainty and apprehension in regards to the incoming GDPR; organisations remain unsure of what GDPR means for them and what they have to do in order to be compliant. In this blog and through my role as the SYNCNI GDPR Guru,  I will take you through the most commonly asked questions relating to GDPR, and discuss key points of the new legislation, helping you to gain an understanding of what GDPR means for you and your organisation.

If you have any questions you would like me to answer or any topics you would be interested in hearing more about, please just let me know through the form at the bottom of the page.