The Misunderstanding about the certified Data Protection Officer

February 26, 2019

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published its first newsletter for Data Protection Officers (DPOs) on the 31st of January. The newsletter briefly discusses a misunderstanding regarding the Data Protection Officer (hereinafter: DPO).

A common misunderstanding that is raised is the misconception that a DPO is responsible for compliance with the privacy policy. However, this responsibility lies with the directors of an organisation. The DPO has the role of supervising that the organisation makes steps in the right direction to compliancy. He or she is tasked with providing guidance towards a privacy friendly organisation. In this blog, I will elaborate on another misconception about DPOs: the certified DPO.

Very often, you can find expensive courses online for certified DPO’s, or vacancies in which one of the requirements for the job is that you are a certified DPO. However, the fact that organisations are advertising with providing DPOs with a "certification" is rather misleading. It suggests that it the certification is a requirement of the General Data Protection Regulation (GDPR) as referred to in Article 42 GDPR. However, the Data Protection Authorities do not issue any certificates to DPO’s. Additionally, most of them havenot yet communicated criteria for the certification of DPOs by external organisations or training institutes (with the exception of the Spanish DPA).

Moreover, the Data Protection Authorities cannot issue any certificates to DPOs, since a GPDR certification is only possible for processings, and not for individuals. The GDPR sets the following requirements for the expertise of DPOs:

  • Professional qualification;
  • Expertise in legislation and in practice in privacy and data protection;
  • The ability to perform the tasks that need to be carried out by a DPO.

The tasks of the DPO are, for example, informing and advising on the GDPR and supervising the GDPR, and advising on and supervising the execution of a Data Protection Impact Assessment (DPIA).

When a DPO is a "certified DPO", it means that the DPO has followed a course with that called itself "certified DPO", or that the DPO received a certificate for the training. Sometimes, the certification refers to the training institute that offers the training. The label "certified DPO" does not say anything about the qualities of the experience of a DPO - which are, in my opinion, precisely the job requirements that are important for a DPO. While many trainings and certifications can provide a good understanding of privacy and data protection, they should not be the only criteria to select a DPO. There are many skilled DPOs who do not hold a certificate, but have years of experience and have the required qualities.

Here are some tips that can give an indication whether a DPO is suitable for the job or the consultancy task:

  • Look at the number of years of substantive privacy experience that a DPO has;
  • Knowledge of information security is an advantage, but is not sufficient in itself as privacy knowledge;
  • Ask for reference projects where a DPO has worked;
  • Have a look at the consulting firm that offers the service to get an idea of ​​their expertise and professionalism.

Do you need to appoint a DPO? Contact us!