20 July 2017
The Spanish data protection authority (‘AEPD’) announced, on 13 July 2017, that it had instituted a data protection officer (‘DPO’) certification scheme (‘the Scheme’) in collaboration with the National Accreditation Entity (‘ENAC’) in light of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Under the Scheme, DPO certification will be granted by agencies accredited by ENAC following criteria elaborated by the AEPD.
Joaquin Muñoz, Lawyer at ONTIER, told DataGuidance, “Article 37(5) of the GDPR states that the DPO ‘shall be designated on the basis of professional qualities and, in particular, of expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.’ Recital 97 also provides that the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data processed by the controller or processor. Since no specific certification is required, under such a framework national data protection authorities (‘DPAs’) can promote certification schemes in order to offer security and reliability both to professionals in the privacy field and to the companies and institutions that will incorporate the figure of the DPO in their organisations.”
The Scheme establishes the competences that will be required for the person who holds the position of DPO, as well as the criteria for assessing that the applicants to the Scheme embody them. When the result of the evaluation process is favourable, the certification body will issue a declaration of compliance or a certificate. The tasks required under the Scheme include advising the data controller, data processor and employees involved in data processing of their obligations under the GDPR; overseeing the awareness and training of personnel; advising on Data Protection Impact Assessments and monitoring their implementation; and acting as a contact point for the supervisory authority.
Despite not being compulsory, the Scheme could have a big impact on privacy professionals since companies […] may require this certification
Muñoz continued, “No specific certification is required to carry out the work of a DPO and companies can base their choice on the criteria of candidates’ expertise, professional qualities and their ability to fulfil the tasks incumbent on the DPO on account of their personal abilities and knowledge. [However] in my opinion, despite not being compulsory, the Scheme could have a big impact on privacy professionals since both companies wishing to hire an internal DPO and companies wishing to hire a professional to carry out these tasks based on a service contract may require this certification. Another issue is the impact that this Scheme may have on other training courses or different certifications since, in some way, this certification is already granted the halo of being an ‘official certification,’ which may affect other certificates that are equally valid.”
The Scheme was developed with the participation of a technical committee of experts that included representatives of professional associations, companies, universities and public bodies. Though the use of the Scheme will not be mandatory, nor will it be the only way of becoming a DPO, the AEPD stated that the Scheme seeks to provide clarity to both privacy professionals and the companies and entities that will be hiring them, and will provide a benchmark regarding the content and elements required by such a certification mechanism.
“It is possible that other DPAs in the EU may create similar schemes,” commented Muñoz. “I think that everything will depend on the needs of each country regarding their professionals and companies having mechanisms to control the quality of the training of future DPOs. In countries where the market for training and certification is not mature, it could be necessary that DPAs fill that gap, but in countries where the offer of training and the expertise of professionals is sufficient, the private sector is likely to be allowed to cover this need.”
Rachael Nelson-Daley | Privacy Analyst