In recent months in our country, those known as «
zero-cost consultancies’,
companies offering advisory services on data protection, without complying with any of the minimum legal requirements required by the current General Data Protection Regulation (GDPR) and the Spanish Data Protection Agency (AEPD) itself.

Even, many companies have appeared that offer the possibility of hiring consultancies at zero cost to comply with the law, billing them as training courses,which are already being very persecuted.

Zero-cost consultancies that are a risk for your company,so you should avoid hiring them in any case.

What is the reason for the rise of so-called zero-cost consultancies?

The growth in recent months of the so-called
“zero cost” companies
is due, in the first place, to the delay on the part of companies in implementing the new data protection measures,established in the GDPR.

This delay has motivated the growth of a very “juicy” business niche,which many try to take advantage of through offering advisory services.

The fear of companies to suffer a sanction for not complying with the GDPR,especially SMEs, it leads them to hire these consultancies at zero cost,to try to cover the file, which are usually offered by people who see in this fear an opportunity to do business.

What most companies that resort to this type of advice do not know is that they will not be freed from the sanctions for non-compliance by the AEPD,which can reach 20 million euros, or 4% of annual turnover.

The reality is that these consultancies do not have any guarantee,and in no case solve the deficiencies of the companies in terms of the data protection policy they refer to.

In fact, one of these consultancies cannot be presented by employers to demonstrate proactivity when it comes to protecting the data of their customers and employees.

How do consultancies reach companies at zero cost?

Telephone audits

These illegal consultancies at zero cost find in the telephone audit, their best hook to reach and convince those companies that have not implemented the measures established in the RGPD. They make them believe that, after that call, they will comply with all the necessary legal requirements.

The AEPD has also reported that many entities send communications to different companies and organizations, which they must take medium/high level measures as far as the confidentiality of the data of its clients is concerned, offering them its audit services via telephone, for compliance with data protection legislation.

In addition, these companies ensure that, through this practice, all security measures of information systems and data processing and storage facilities are complied with.

With the aim of alerting companies, as collected this news, the AEPD has reported that those offers that are based on a telephone audit on security measures do not allow to obtain the results established in the data protection regulations, since the checks that must be carried out, could not be carried out by telephone.

Issuance of seal or certificate


Other entities or consultancies issue those companies that contract their services, their own seal or certificate of compliance with the RGPD,making them believe that with this they are fully protected before any inspection, when in reality they are not in any position to guarantee it.


consultancies at zero cost
can bring negative consequences for your company,since this type of advice does not meet any of the requirements set by the RGPD and the AEPD,and therefore, would not free you from the strong economic sanctions that you could face.

It is important to take extreme precautions and not fall into the trap that companies that offer these consultancies tend. Because, in addition to not complying with the requirements for the correct processing of data and information of customers and employees, the AEPD informs that the responsibility for fraud will not only fall on the companies that promote these consultancies, but also on those that accept their hiring.