Greetings from Paris!
(Lisez ceci en français ici.)
The CNIL recently published, in the Official (French) Journal of 11 Oct., two framework standards that establish a new national data protection officer certification scheme. This publication comes following a broad public consultation, organized by the CNIL, during which all interested professional organizations, companies, and individuals were able to express their views and contribute. In total, as indicated by the CNIL, nearly 200 contributions were received. The official news release can be found here.
The IAPP also actively participated in this consultation process. Paul Jordan, the IAPP managing director for Europe, and I had many constructive discussions with the CNIL, and we were also invited to their offices for meetings.
The CNIL is only the second European authority to embark on a certification scheme for privacy pros, the first being the Spanish authority back in October 2017. The certification of DPOs is not expressly provided for by the GDPR, which refers to certifying areas of "operations of treatment" set up by controllers or subcontractors. It is, therefore, a notable modification, which was introduced into the existing French law by the law of 20 June 2018.
This innovation, in particular, corresponds to a market need in France. According to some French estimates, the implementation of the GDPR will require the designation of nearly 80,000 DPOs, half of them to be appointed in the public sector. It is in this context that the identification and recognition of authentically qualified DPOs are seen by many as a necessity for companies and administrations looking for such profiles. Consequently, any certification mechanism that helps to meet this requirement is welcome. The CNIL is clear, however, that the certification is not compulsory, but optional. Individuals may perform the function of DPO without being certified, and, conversely, certified individuals may not necessarily be DPOs.
The IAPP, which has a long and established practice of certification and as an organization having certifications certified under ISO 17024, welcomes the frameworks developed by the CNIL, which are based on this same ISO standard. This is also the case of the Spanish certification, which also references the requirement (also voluntary in nature).
First, it should be emphasized that the CNIL will not itself certify the DPOs. The regulator will rely on "approved" certifying bodies to carry out this mission, as is broadly foreseen by Article 43 of the GDPR.
The first framework reference (Decision No. 2018-317 of 20 Sept. 2018) concerns the DPO certification bodies. This reference mandates a first requirement that the certifying body seeking approval by the CNIL is certified ISO 17024. The reference system also defines the criteria as to how an organization assesses a candidate's competencies for certification. A multiple-choice questionnaire test in French, consisting of at least 100 questions, is foreseen, of which 30 percent must be formulated around practical case scenarios. The IAPP welcomes the importance given to practical assessment, which corresponds to its own methodology in the context of its certifications (CIPP/E and CIPM). The certification bodies must allow observers from the CNIL to be present during the tests.
The second reference (Decision No. 2018-318 of 20 Sept. 2018) aims to define the criteria that candidates wishing to be certified under the scheme will have to fulfill. To qualify for access to the testing phase for certification, the candidate must have at least two years professional experience in projects, activities or tasks related to the missions of the DPO; have at least two years of professional experience; and have at least 35 hours of training in the protection of personal data delivered by a training organization.
The framework requirement lists 17 specific areas of skills and competencies that candidates must possess. These requirements reflect thematically the various missions and obligations of the DPO as defined under the GDPR. By way of example, the candidate will need to know how to establish procedures to manage requests for the exercise of rights of persons concerned, organize and participate in audits, and identify personal data breaches requiring notification to the supervisory authority.
Following on from Spain and France, one can only speculate that other protection authorities may take the same path, which, in turn, may lead to a more European and harmonized approach to DPO certification.
If you want to comment on this post, you need to login.