The Spanish data protection authority is the first in Europe to set up regulations for data protection officer certification schemes. The rules explain in detail what someone will need to demonstrate and do in order to become a DPO in the country.

The EU General Data Protection Regulation, which will come into effect in May next year, mandates that companies engaging in large-scale monitoring of people, or handling a significant amount of sensitive personal data, will need to appoint a DPO. They can be either internal or external, but they will need to have "expert knowledge of data protection law and practices." There will need to be tens of thousands of them across the EU.

But how do companies know and demonstrate that their DPOs are any good? There is no requirement in the GDPR for DPOs to be certified as experts, but many may find it useful, and the Spanish Data Protection Agency (AEPD) has decided that certification schemes need to have some kind of framework within which to operate.

The Spanish framework

To that end, the AEPD has worked with Spain's National Entity of Accreditation and a panel of data protection experts to develop a Spanish DPO certification system. ENAC's role in this is to accredit the certification schemes, which it is doing according to the ISO 17024 standard. This will allow DPOs certified under such schemes to assert that they really know what they're talking about, by showing off their "mark of conformity."

The AEPD published its guidelines this month, although it first announced its collaboration with ENAC back in July. "To date, there is no entity accredited yet," ENAC's Irene González Fernández told The Privacy Advisor last week. 

The guidelines set out the respective roles of certification bodies, which can only operate with ENAC's rescindable approval, and training entities, which will need to get certification bodies to recognize their courses. 

The AEPD noted that it may set up a separate process for authorizing training entities. "If needed, a list of requirements for both the training courses as well as the entities offering such courses will be published, establishing the content, minimum duration of training and requirements regarding training personnel, resources, facilities, performance, etc," the guidelines state. 

Wannabe certification bodies will be able to apply for a non-renewable "provisional designation" that will allow them to operate for up to one year, in order to get the experience they need for full accreditation. 

Certification bodies' evaluators will need to "have training and professional experience equivalent to or greater than the candidate to be certified, and the capability to evaluate the assessment exams." They will also need to have both an undergraduate degree and at least five years' experience in either data protection or information security.

What it takes to be a DPO

So, what will people need to do in order to win certification as a data protection officer in Spain?

Firstly, they will need to demonstrate one of the following prerequisites in order to get to the assessment stage: at least five years' professional experience working on data-protection-related activities and/or projects; at least three years' experience on the same, plus at least 60 hours of recognized specialist training; at least two years' experience plus at least 100 hours of training; or, in the case of zero experience, at least 180 hours of training.

Importantly, training will not need to be acquired in Spain — it can come from elsewhere in the EU too, although obviously the Spanish certification body will need to recognize the relevant training entity.

Certification will only last for three years, after which DPOs will need to be recertified.

The exam syllabus for certification will cover data protection on the international, European and Spanish fronts. Unsurprisingly, candidates will need to fully understand the GDPR, Spain's own data protection law, and the fundamental rights that underpin these. They will also need to know about the opinions of the Article 29 Working Party and the upcoming European Data Protection Board, and to demonstrate knowledge of data-protection-related laws such as the under-works ePrivacy Regulation.

Here's the AEPD's list of DPO functions that are listed as "required competences" for people seeking certification. While pretty massive compared with the GDPR's own list of at-minimum tasks, it could provide a useful guide for people thinking of becoming a DPO elsewhere in the EU, too:

1. Compliance with principles relating to processing, such as purpose limitation, data minimization or accuracy

2. Identifying the legal basis for data processing

3. Assessment of the compatibility of purposes other than those which gave rise to initial data collection

4. Determining whether any sectoral regulation may determine specific data processing conditions that are different from those established by general data protection regulations

5. Designing and implementing measures to provide information to data subjects

6. Establishing mechanisms to receive and manage requests to exercise rights of the data subjects

7. Assessing requests to exercise rights of the data subjects

8. Hiring data processors, including the content of the contracts or legal documents that regulate the controller – processor relationship

9. Identifying international data transfer instruments that are suited to the needs and characteristics of the organisation and the reasons that justify the transfer

10. Design and implementation of data protection policies

11. Data protection audits

12. Establishing and managing a register of processing activities

13. Risk analysis of the processing operations carried out

14. Implementing data protection measures by design and by default that are suited to the risks and nature of the processing operations

15. Implementing security measures that are suited to the risks and nature of the processing operations

16. Establishing procedures to manage violations of data security, including assessing the risk to the rights and freedoms of the data subjects and procedures to notify supervisory authorities and the data subjects

17. Determining the need to carry out data protection impact assessments

18. Carrying out data protection impact assessments

19. Relations with supervisory authorities

20. Implementing training and awareness programes for personnel on data protection.

DPO candidates will also have to sign up to a code of ethics covering legality and integrity (i.e. sticking to what the law says), professionalism ("scrupulous" loyalty), responsibility (not doing what they don't have the competence to do), impartiality (not succumbing to conflicts of interest), confidentiality ("safeguarding the right to privacy of all interested parties"), and transparency (except where confidentiality is needed). 

Breaches of the code could mean the suspension of their certification for up to six months, as would various other infractions, and repeated infractions could lead to the withdrawal of certification.

It probably goes without saying that accepting "fees, gifts, or favors of any type from clients or their representatives" would constitute a violation of the code, but there you have it anyway.

Interestingly, the code of conduct also forbids DPOs from doing anything that directly or indirectly competes with the AEPD or the certification body.

photo credit: Contando Estrelas España, España, España via photopin (license)