Greetings from Brussels!
Most recently, I have seen quite some debate on different blogs and social media forums on the rise of training and certification offerings in the privacy space. With the fast-approaching GDPR coming into force next year, understandably so. There has been a continuous frenzy of hype and sense of anxiety surrounding the GDPR and, most notably, this has coincided with a sudden and exponential proliferation of GDPR Certified Practitioner/DPO/Professional courseware and certification/certificates across Europe. A great deal of attention is being given to the training and certification market as companies and privacy pros look to enhance their fluency with the new legislation in applicable jurisdictions and in conjunction with the overall risk associated with their data operations.
Looking back to the DPO panel that the IAPP hosted at the Data Summit in Dublin earlier in the year, I can appreciate that for organizations — small and large — identifying and pursuing adequate training and certification as required is no easy process. The predominant and recurring question I often hear, as echoed at the Dublin Summit, is how should one distinguish and assess the quality and working value gained by the different educational privacy programs.
Fundamentally, it is an accepted given that, with the GDPR, organizations with data at the core of their operations, and business models will need to apply and demonstrate an acceptable level of privacy expertise and diligence, not only from a regulatory perspective, one might argue, but also from a good business practice standpoint. This week, Ireland's Data Protection Commissioner released guidance on the appropriate qualifications for a data protection officer. With respect to necessary qualifications, the DPC adopts a risk-based approach, noting "the appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed. For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e., an internet or insurance company), the DPO may need a higher level of expertise and support."
The DPC acknowledges that organizations should proactively decide on qualifications and levels of training required for DPOs and teams taking account of the scale, complexity and sensitivity of their data processing operations — no one size fits all. The DPC cites differentials between more academically accredited certificates, such as diplomas from national law societies, as well as professional training programs that have international recognition and that offer professional qualifications that require an ongoing commitment to training and education to maintain the professional qualification.
While the list of factors to consider are non-exhaustive, the DPC cautions careful consideration in selection and suggests that organizations look to the entire educational offering, including the nature — and I would add to this the credibility — of the accrediting bodies involved where certification is concerned. Importantly, considering the depth and breadth of organizational (and behavioral) change that might ensue, it is worth going back to the starting premise: Article 37.5 of the GDPR provides that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.” The GDPR is relatively prescriptive in its framework in this respect and should help guide companies to determine their ongoing educational needs.
Bias aside, I can only speak to the value of IAPP products, and I consider myself incredibly fortunate to engage and work with the countless members and volunteers within our international network who work tirelessly to develop, produce and maintain our privacy training programs leading to robust certifications globally. It is truly a case of data protection professionals from across industries coming together to develop high standards of lifelong education for the privacy profession. The IAPP opened its doors 17 years ago, long before the GDPR was even a consideration, and we will continue to deliver content to the highest standard beyond the road to GDPR.