GDPR Certified

There is No Such Thing as GDPR Certification …Yet!

If you’re looking for more information on GDPR, and surprisingly few of you are, you will likely have seen vendors selling things like; Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”.

Sounds really impressive, right? Unfortunately, it doesn’t mean a damned thing.

ISO 17024 – Conformity Assessment – General Requirements for Bodies Operating Certification of Persons only covers the “principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons.” and the IBITGQ (International Body for IT Governance Qualifications) are only “dedicated to the provision of training, qualifications and the continued professional development of information security, business resilience and IT governance professionals.”

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself may cover aspects GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

  1. “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
    o
  2. “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have release nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.

One of the  challenges is that the term ‘certification’ means several things even within the GDPR itself. From the certification of ‘appropriate measures’ between processors and controllers (GDPR Final Text, Recital 76), to the “The adherence of the processor to an approved code of conduct or an approved certification mechanism…” (GDPR Final Text, Recital 81), the nature and extent of these certifications will vary considerably.

What IS out there however are organisations offering GDPR foundation classes. These courses are designed to instruct and inform, not offer useless acronyms. It’s these courses you should be looking into, but like everything else, you must ask the right questions.

For example, if you’re:

  1. a Data Protection Officer (DPO), you will need to know how the GDPR affects your responsibilities and management reporting;
  2. a contract lawyer, you’ll need to know how all of your vendor AND client contracts will be affected;
  3. an IT manager you’ll want to know how the GDPR will be implemented from an infrastructure perspective; and
  4.  responsible for cybersecurity, how do you demonstrate ‘appropriate measures’?

But worse than vendors trying to provide training certificates are the ones providing GDPR compliance consultancy, or worst yet, software. I can understand privacy lawyers offering these services, but cybersecurity vendors!? Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. Not only that, in the ICO’s Guide to Data Protection they already mention ISO 27001 under Principle 7 – Information Security, so it’s fairly clear against which benchmark security programs will be measured.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. The first step is not to buy the first training course that comes your way, it’s to raise the awareness of GDPR to the people whose very arses are on the line. Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top. They are the ones who will be held accountable, so they are the ones who should ensure that everyone has the training and awareness they need.

Every new data protection regulation is seen by vendors as a way into your wallets. The GDPR is no different. Do your homework, and ignore any organisation offering services predicated on fear, uncertainty and doubt. Or worse, utter nonsense.

[If you liked this article, please share! Want more like it, subscribe!]

13 thoughts on “There is No Such Thing as GDPR Certification …Yet!

  1. My business is certified / registered under the DPA – which broadcasts what we do with data. I am expecting this to be replaced by a GDPR registration / certification process. But who knows?? In any case it is certainly not a “training certificate” we will need.

  2. The text of the draft UK Data Protection Bill and GDPR Article 43(1).b states it is not just the Supervisory Authority who can accredit certification. An accreditation service (i.e. UKAS) can also accredit a Certification Body to issue Data Protection Certifications.

    As for IBITGQ – one needs to question whether a body which isn’t itself ISO 17024 accredited and, the same person who set up the Certification Body owns the only Accredited Training Organisation (ATO) could legitimately claim their Certifications are ISO 17024 compliant at all.

    • It all depends on what you’re looking to achieve. If you’re looking for a course to give you a background on GDPR then I have no issue with it, despite the misleading advertising. However, if you think this course is in any way sanctioned by the ICO, or if you want to use your ‘certification’ to start providing GDPR services, then you’re asking the wrong questions.

  3. I would like to become a DPO, is there any place where I can have training that will mean something? I was going to do the Distance Learning EU GDPR Foundation and Practitioner courses provided by http://www.itgovernance.co.uk but I am now unsure that this would mean anything to employers?

  4. “Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top.”

    Totally true, and most of them have no clue what the law really means to them. The fines are huge, but how they will be implemented has yet to be seen. Will China, Russia and ME companies be treated the same way as EU and North American?

    I was looking to take those courses but will pass for now.

    Thanks for the warning.

  5. Hi,

    I understand there is not a an official recognize body for GDPR,however as someone in the IT security field its good to do the courses and get some certifications. I did the foundation and am already working on a project involving GDPR. I am doing the practitioner Jan 2018 to further give me more experience and knowledge. The fact is your certification gives you extra credit during any job interviews and if you have your certification with little experience you half way through the door. My advice do the course and earned the certification from a reputable training organization.

    • Hi Marko,

      As an IT security professional I believe privacy needs to become a core competence to your function, but ONLY in so far as you have enough knowledge to put what legal say into effect. We are only EVER enablers, with absolutely no business making determinations on legal basis for processing, contract language, or legitimate interest.

      So while I have no I no issue with the GDPR practitioner course [other than its very misleading advertising] for

        background

      on the GDPR, to use this ‘certification’ to

        lead

      GDPR project in unconscionable.

      I will be taking the Certified Information Privacy Technologist (CIPT) and Certified Information Privacy Professional/Europe (CIPP/E) from IAPP early next year, both of which blow the practitioner course away. But I STILL won’t be leading a GDPR project, ever.

      Good luck to you,

      David

      • HI David,
        I am a Business Analyst, and like Marko I would like to move into compliance and gain GDPR certification. I was considering going with IT Governance (£2,000) or Henley Business School (£8,500) for the Foundation and Practitioner courses. However, after reading your posts I am now considering taking the same courses you mentioned above.

        Please can you let me know the training company for the Certified Information Privacy Technologist (CIPT) that you are using?

        One last point (I think…..), I have spent the past two months studying GDPR, and like Marko, I want to lead a GDPR implementation, and become a DPO.
        In your opinion, would I be better taking the same two courses you mentioned, along with researching GDPR to offer awareness to companies and enable me to put into practice processes and procedures to meet GDPR compliance.

        ….Another last point…. would I be better with the two certificates you mentioned or a GDPR Practitioner qualification on my CV when applying for jobs? How would companies view each qualification when recruiting someone with GDPR knowledge to help them conform with the EU GDPR compliance?

        Thank you,
        Michael.

      • Hi Michael,

        I am not using a training company, the IAPP certifications are self-study based on a number of books that they provide. e.g. Introduction to IT Privacy – A Handbook for Technologists

        No offence Michael, but if all you have done is study the GDPR for a couple of months you are in no way qualified to lead an implementation or become a DPO. You are not a privacy expert or a lawyer, so you should not be attempting to determine the lawful basis for processing, nor should you be composing the requisite contractual language or privacy notices.

        DPO is not a title and absolutely not a certification, it’s a function. Unless you have been doing the work of a DPO for a number of years you need to refocus.

        As a Business Analyst there is a LOT of work for you to do. From helping to map the data flows to business processes to working with the IT side of your organisation in reducing the risks associated with having the data in the first place. Stick to what you know.

        Implementation of GDPR is a group effort with absolutely no room for guesswork. The DPO role will likely attract civil penalties in the case of egregious offence, don’t put yourself in that position.

        By making the effort you will get your piece of the pie Michael, make sure it’s the right piece.

        Cheers,

        David

Leave a Reply

Your email address will not be published. Required fields are marked *