News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Here's what it takes to be a certified DPO in Spain Related reading: Outsourcing the DPO? Here are questions to ask

rss_feed

""

The Spanish data protection authority is the first in Europe to set up regulations for data protection officer certification schemes. The rules explain in detail what someone will need to demonstrate and do in order to become a DPO in the country.

The EU General Data Protection Regulation, which will come into effect in May next year, mandates that companies engaging in large-scale monitoring of people, or handling a significant amount of sensitive personal data, will need to appoint a DPO. They can be either internal or external, but they will need to have "expert knowledge of data protection law and practices." There will need to be tens of thousands of them across the EU.

But how do companies know and demonstrate that their DPOs are any good? There is no requirement in the GDPR for DPOs to be certified as experts, but many may find it useful, and the Spanish Data Protection Agency (AEPD) has decided that certification schemes need to have some kind of framework within which to operate.

The Spanish framework

To that end, the AEPD has worked with Spain's National Entity of Accreditation and a panel of data protection experts to develop a Spanish DPO certification system. ENAC's role in this is to accredit the certification schemes, which it is doing according to the ISO 17024 standard. This will allow DPOs certified under such schemes to assert that they really know what they're talking about, by showing off their "mark of conformity."

The AEPD published its guidelines this month, although it first announced its collaboration with ENAC back in July. "To date, there is no entity accredited yet," ENAC's Irene González Fernández told The Privacy Advisor last week. 

The guidelines set out the respective roles of certification bodies, which can only operate with ENAC's rescindable approval, and training entities, which will need to get certification bodies to recognize their courses. 

The AEPD noted that it may set up a separate process for authorizing training entities. "If needed, a list of requirements for both the training courses as well as the entities offering such courses will be published, establishing the content, minimum duration of training and requirements regarding training personnel, resources, facilities, performance, etc," the guidelines state. 

Wannabe certification bodies will be able to apply for a non-renewable "provisional designation" that will allow them to operate for up to one year, in order to get the experience they need for full accreditation. 

Certification bodies' evaluators will need to "have training and professional experience equivalent to or greater than the candidate to be certified, and the capability to evaluate the assessment exams." They will also need to have both an undergraduate degree and at least five years' experience in either data protection or information security.

What it takes to be a DPO

So, what will people need to do in order to win certification as a data protection officer in Spain?

Firstly, they will need to demonstrate one of the following prerequisites in order to get to the assessment stage: at least five years' professional experience working on data-protection-related activities and/or projects; at least three years' experience on the same, plus at least 60 hours of recognized specialist training; at least two years' experience plus at least 100 hours of training; or, in the case of zero experience, at least 180 hours of training.

Importantly, training will not need to be acquired in Spain — it can come from elsewhere in the EU too, although obviously the Spanish certification body will need to recognize the relevant training entity.

Certification will only last for three years, after which DPOs will need to be recertified.

The exam syllabus for certification will cover data protection on the international, European and Spanish fronts. Unsurprisingly, candidates will need to fully understand the GDPR, Spain's own data protection law, and the fundamental rights that underpin these. They will also need to know about the opinions of the Article 29 Working Party and the upcoming European Data Protection Board, and to demonstrate knowledge of data-protection-related laws such as the under-works ePrivacy Regulation.

Here's the AEPD's list of DPO functions that are listed as "required competences" for people seeking certification. While pretty massive compared with the GDPR's own list of at-minimum tasks, it could provide a useful guide for people thinking of becoming a DPO elsewhere in the EU, too:

1. Compliance with principles relating to processing, such as purpose limitation, data minimization or accuracy

2. Identifying the legal basis for data processing

3. Assessment of the compatibility of purposes other than those which gave rise to initial data collection

4. Determining whether any sectoral regulation may determine specific data processing conditions that are different from those established by general data protection regulations

5. Designing and implementing measures to provide information to data subjects

6. Establishing mechanisms to receive and manage requests to exercise rights of the data subjects

7. Assessing requests to exercise rights of the data subjects

8. Hiring data processors, including the content of the contracts or legal documents that regulate the controller – processor relationship

9. Identifying international data transfer instruments that are suited to the needs and characteristics of the organisation and the reasons that justify the transfer

10. Design and implementation of data protection policies

11. Data protection audits

12. Establishing and managing a register of processing activities

13. Risk analysis of the processing operations carried out

14. Implementing data protection measures by design and by default that are suited to the risks and nature of the processing operations

15. Implementing security measures that are suited to the risks and nature of the processing operations

16. Establishing procedures to manage violations of data security, including assessing the risk to the rights and freedoms of the data subjects and procedures to notify supervisory authorities and the data subjects

17. Determining the need to carry out data protection impact assessments

18. Carrying out data protection impact assessments

19. Relations with supervisory authorities

20. Implementing training and awareness programes for personnel on data protection.

DPO candidates will also have to sign up to a code of ethics covering legality and integrity (i.e. sticking to what the law says), professionalism ("scrupulous" loyalty), responsibility (not doing what they don't have the competence to do), impartiality (not succumbing to conflicts of interest), confidentiality ("safeguarding the right to privacy of all interested parties"), and transparency (except where confidentiality is needed). 

Breaches of the code could mean the suspension of their certification for up to six months, as would various other infractions, and repeated infractions could lead to the withdrawal of certification.

It probably goes without saying that accepting "fees, gifts, or favors of any type from clients or their representatives" would constitute a violation of the code, but there you have it anyway.

Interestingly, the code of conduct also forbids DPOs from doing anything that directly or indirectly competes with the AEPD or the certification body.

photo credit: Contando Estrelas España, España, España via photopin (license)

Author
Headshot David Meyer Nonmember Contributor
Tags
Enforcement
Privacy Law
Privacy Operations Management
2 Comments

If you want to comment on this post, you need to login.

  • comment Israel OTURA GARCIA • Sep 28, 2018 
    Hello David,
Thanks for the article.

Has IAPP applied as certification body? 

Will any of the certifications issued by IAPP qualify the professional to be a DPO in Spain?

Thanks!!
  • comment Sam Pfeifle • Oct 2, 2018 
    Hi Israel - this is Sam, IAPP content director. We have not applied for certification in Spain - we've looked at the requirements extensively and it is not easy! If we can find a way to operationalize their requirements and our ISO requirements, we'd love to make it happen, but it won't be soon.
Related Stories
Outsourcing the DPO? Here are questions to ask
As the deadline for the implementation of the EU GDPR nears, many (if not most) companies outside those early starters have not yet filled their DPO role as required under the new regulation. With the limited quantities of qualified and experienced DPOs insufficient to meet the market demand, there ...
Read More queue Save This
The legal risks for the DPO
While the role of data protection officer has come into the spotlight given the impending General Data Protection Regulation in the EU, with that prominence may come personal liability. As the titular head of the data protection and privacy program, the DPO may be interpreted as the final decision m...
Read More queue Save This
Related Stories
Tags
Enforcement
Privacy Law
Privacy Operations Management
Recent Comments