GDPR Certified

There is No Such Thing as GDPR Certification …Yet!

If you’re looking for real guidance on GDPR, and surprisingly few of you are, you will likely have seen vendors selling things like; Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”.

Sounds really impressive, right? Unfortunately, it doesn’t mean a damned thing:

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself may cover aspects GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

  1. “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
  2. “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have release nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.

One of the challenges is that the term ‘certification’ means several things even within the GDPR itself. From the certification of ‘appropriate measures’ between processors and controllers (GDPR Final Text, Recital 76), to the “The adherence of the processor to an approved code of conduct or an approved certification mechanism…” (GDPR Final Text, Recital 81), the nature and extent of these certifications will vary considerably.

What IS out there however are organisations offering GDPR foundation classes. These courses are designed to instruct and inform, not offer useless acronyms. It’s these courses you should be looking into, but like everything else, you must ask the right questions.

For example, if you’re:

  1. a Data Protection Officer (DPO), you will need to know how the GDPR affects your responsibilities and management reporting;
  2. a contracts lawyer, you’ll need to know how all of your vendor AND client contracts will be affected;
  3. an IT manager you’ll want to know how the GDPR will be implemented from an infrastructure perspective; and
  4.  responsible for cybersecurity, how do you demonstrate ‘appropriate measures’?

But worse than vendors trying to provide training certificates are the ones providing GDPR compliance consultancy, or worst yet, software. I can understand privacy experts and lawyers offering these services, but cybersecurity vendors!? Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. Not only that, in the ICO’s Guide to Data Protection they already mention ISO 27001 under Principle 7 – Information Security, so it’s fairly clear against which benchmark security programs will be measured.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. The first step is not to buy the first training course that comes your way, it’s to read the damned thing, then raise the awareness of GDPR to the people whose very arses are on the line. Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top. They are the ones who will be held accountable, so they are the ones who should ensure that everyone has the training and resources they need.

Every new data protection regulation is seen by vendors as a way into your wallets. The GDPR is no different. Do your homework, and ignore any organisation offering services predicated on fear, uncertainty and doubt. Or worse, utter nonsense.

[If you liked this article, please share! Want more like it, subscribe!]

37 thoughts on “There is No Such Thing as GDPR Certification …Yet!

  1. My business is certified / registered under the DPA – which broadcasts what we do with data. I am expecting this to be replaced by a GDPR registration / certification process. But who knows?? In any case it is certainly not a “training certificate” we will need.

  2. The text of the draft UK Data Protection Bill and GDPR Article 43(1).b states it is not just the Supervisory Authority who can accredit certification. An accreditation service (i.e. UKAS) can also accredit a Certification Body to issue Data Protection Certifications.

    As for IBITGQ – one needs to question whether a body which isn’t itself ISO 17024 accredited and, the same person who set up the Certification Body owns the only Accredited Training Organisation (ATO) could legitimately claim their Certifications are ISO 17024 compliant at all.

    • It all depends on what you’re looking to achieve. If you’re looking for a course to give you a background on GDPR then I have no issue with it, despite the misleading advertising. However, if you think this course is in any way sanctioned by the ICO, or if you want to use your ‘certification’ to start providing GDPR services, then you’re asking the wrong questions.

  3. I would like to become a DPO, is there any place where I can have training that will mean something? I was going to do the Distance Learning EU GDPR Foundation and Practitioner courses provided by but I am now unsure that this would mean anything to employers?

  4. “Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top.”

    Totally true, and most of them have no clue what the law really means to them. The fines are huge, but how they will be implemented has yet to be seen. Will China, Russia and ME companies be treated the same way as EU and North American?

    I was looking to take those courses but will pass for now.

    Thanks for the warning.

  5. Hi,

    I understand there is not a an official recognize body for GDPR,however as someone in the IT security field its good to do the courses and get some certifications. I did the foundation and am already working on a project involving GDPR. I am doing the practitioner Jan 2018 to further give me more experience and knowledge. The fact is your certification gives you extra credit during any job interviews and if you have your certification with little experience you half way through the door. My advice do the course and earned the certification from a reputable training organization.

    • Hi Marko,

      As an IT security professional I believe privacy needs to become a core competence to your function, but ONLY in so far as you have enough knowledge to put what legal say into effect. We are only EVER enablers, with absolutely no business making determinations on legal basis for processing, contract language, or legitimate interest.

      So while I have no I no issue with the GDPR practitioner course [other than its very misleading advertising] for


      on the GDPR, to use this ‘certification’ to


      GDPR project in unconscionable.

      I will be taking the Certified Information Privacy Technologist (CIPT) and Certified Information Privacy Professional/Europe (CIPP/E) from IAPP early next year, both of which blow the practitioner course away. But I STILL won’t be leading a GDPR project, ever.

      Good luck to you,


      • HI David,
        I am a Business Analyst, and like Marko I would like to move into compliance and gain GDPR certification. I was considering going with IT Governance (£2,000) or Henley Business School (£8,500) for the Foundation and Practitioner courses. However, after reading your posts I am now considering taking the same courses you mentioned above.

        Please can you let me know the training company for the Certified Information Privacy Technologist (CIPT) that you are using?

        One last point (I think…..), I have spent the past two months studying GDPR, and like Marko, I want to lead a GDPR implementation, and become a DPO.
        In your opinion, would I be better taking the same two courses you mentioned, along with researching GDPR to offer awareness to companies and enable me to put into practice processes and procedures to meet GDPR compliance.

        ….Another last point…. would I be better with the two certificates you mentioned or a GDPR Practitioner qualification on my CV when applying for jobs? How would companies view each qualification when recruiting someone with GDPR knowledge to help them conform with the EU GDPR compliance?

        Thank you,

      • Hi Michael,

        I am not using a training company, the IAPP certifications are self-study based on a number of books that they provide. e.g. Introduction to IT Privacy – A Handbook for Technologists

        No offence Michael, but if all you have done is study the GDPR for a couple of months you are in no way qualified to lead an implementation or become a DPO. You are not a privacy expert or a lawyer, so you should not be attempting to determine the lawful basis for processing, nor should you be composing the requisite contractual language or privacy notices.

        DPO is not a title and absolutely not a certification, it’s a function. Unless you have been doing the work of a DPO for a number of years you need to refocus.

        As a Business Analyst there is a LOT of work for you to do. From helping to map the data flows to business processes to working with the IT side of your organisation in reducing the risks associated with having the data in the first place. Stick to what you know.

        Implementation of GDPR is a group effort with absolutely no room for guesswork. The DPO role will likely attract civil penalties in the case of egregious offence, don’t put yourself in that position.

        By making the effort you will get your piece of the pie Michael, make sure it’s the right piece.



      • HI David

        Thanks for your article, it makes a lot of sense. Regarding CIPT and CIPP/E certification you mentioned you will be following the self-study path. I looked at website for resources.
        If you know books required for CIPT and CIPP/E respectively would really help me to start with my studies.


      • Hi Ahmad,

        That information is available on the website for both courses. Here’s CIPT, I’ve not looked at CIPP/E yet:

        CIPT Bibliography 2.0-LW-2015-FINAL.pdf (
        CIPT_BoK.pdf (
        CIPT_EBP.pdf (
        IAPP_Privacy_Certification_Candidate_Handbook.pdf (

        Good luck,


  6. Hello David and MANY THANKS for all the great articles you publish- You are by far the only person so far who makes sense in this all GDPR frenzy.
    My question is relatively simple I guess: I am currently in the final stage of concept validation for an employee HR admin app for SMEs, before I build it. Would I be correct in thinking that as long as I read, understand (thanks to your GDPR in plain English), interpret, document and implement our processes based the principles of GDPR in my startup, I am being pro-active towards compliancy and therefore should the ICO conduct an audit, I should be in a good stance?

  7. David,

    While doing some research about the certification regime under the GDPR, I came across your blog. I found it interesting and useful in the context of a new Regulation, with so much fear used as a marketing tool. I especially like the fact that you adopt a clear position in your writing, which differs from others trying to oversell services and products they may not master in the context of the GDPR. I also like your advocacy for privacy lawyers 😉

    Jokes apart, now on the certification topic, some additional thoughts, which I hope may be helpful for this article:

    – The “Recommendations on European Data Protection Certification” issued by the ENISA. This document reminds that, under the GDPR, certification is a voluntary decision and is “an accountability-based mechanism”, which can be used to demonstrate compliance towards the authorities (art. 5 (2) GDPR).

    However, the crucial part (§ 3.2, p.13) says that “compliance with the GDPR is not possible to be certified”. What you can certify is “compliance with (or else: conformity to) certification criteria that are derived from the GDPR.”

    “Compliance with such criteria entails that a controller or processor at a certain period in time has taken measures to ensure that it fulfils certain obligations, for instance to secure personal data in a given processing operation”.

    Also, it is worth noting that, a certification or a seal mark provided by an authority (such as CNIL Privacy Seals) does not constitute an exemption of administrative fines, which may be imposed despite being certified.

    Also the aim andscope of Article 42 and 43 GDPR are pretty limited, where it relate to data processing operations, although other references to certifications are mentioned in the GDPR about data security (art. 32) and data protection by design/default (art. 25).

    Finally, the GDPR will not be fully harmonized Regulation as more than 60 provisions allow Member States to implement exceptions. Local laws will contain different provisions and practice even if the aim is to coordinate, cooperate and remaining consistent with the EU. Therefore, harmonized certification schemes and their recognition is another challenge.

    Hope this helps, but this is just a lawyer’s perspective.

    Link to the ENISA recommendations:

      • Hi David, of course you can! There are more articles in French, but if you think it is worth, then feel free to share. Thanks for your comment and all the best by 25 May 2018 😉

  8. David,

    You have confirmed all of my concerns around these courses and ‘certifications’ I too am searching for the ‘ultimate guide & practice’ around GDPR but you won’t find are correct, it is a function not a course!! As an HR Consultant & Practitioner, I have huge concerns around providing guidance to clients when I feel the information out there is far too open to (mis)interpretation and is very vague…I have downloaded a truck load of information from Data Commissioner’s website as a start point and I’m just going to read, study and try to understand it….what do you suggest next?
    Thanks again for that brilliant insight that has fully validated my own opinion on this

    • Hi Fionnuala,

      Thank you for the kudos! 🙂

      Honestly, there is only one thing I can see that I have done differently from you. I have read as much as I can on the subject, but then I put my opinions out there for everyone to see. My blogs are stand-alone, but they also go to LinkedIn, Twitter, Peerlyst etc. to get torn apart by those with far more knowledge on the subject than I will ever have.

      Privacy is not my domain, cybersecurity is, but I need to know as much as I can about privacy in order to help my clients avoid the charlatans, as well as put my services into an APPROPRIATE context. You are in HR and I recomend that you do the same thing in your domain.

      Believe me, if people disagree with you, they will let you know, and the vast majority of those ‘corrections’ come with significant guidance attached.

      That said, my best clients are the ones who are also educating themselves, so I tell them to READ the damned thing. But to make things a little easier, I have put together a GDPR in Plain English spreadsheet.

      Good luck, and please feel free to reach out directly if I can help you in any way;


  9. Hey David,

    Great work from you by writing such blogs!

    I am an amateur in GDPR. What do you suggest where do I start from? I understand the certifications are useless. However how does one get a concise way of studying GDPR rules? Is there a book or something?
    P.S I am from hospitality background and am curious to the effects it is going to have in my industry.


    • Thank you Shashwat.

      I am an amateur too, so are the vast majority of people claiming expertise unfortunately.

      I have not read any books, though they are some out there now. All I did was read the GDPR from start to finish, read it again, then once more. I put the whole thing into a spreadsheet and translated it to the best of my ability into plain English and ran the result past a REAL expert to make sure I had it right.

      All I’ve done since then is to read everything I can get my hands on from the ICO, the Article 29 Working Party, law firms (Bird & Bird for example) even LinkedIn.

      The reason I post these blogs is not to teach other what I know as much as they are exposing what I THINK I know to smarter people. If I have to go through the effort to research something, actually write about, then post it for all to see, I’d better be fairly sure of my facts. I am still corrected frequently.

      I do this for my industry vertical (cybersecurity) I recommend you do the same for yours, there are some very generous experts out there, you just have to look for them.

      Good luck!


  10. Hi David,

    This is indeed an eye opener. Thanks a ton!
    Can you please tell me if I am headed in the right direction? – I have an Application Development and Server Management company in India, with most of the business from the European countries. Since the GDPR is going to be kickedoff(?) from May, some of our Customers started asking for GDPR certification. From your amazing blog and other readups, it is pretty much clear that there is no “body” to authorize a certificate or it is a practice to implemented in the organization.

    Now, our customers who does not want to hear/read any of this keep asking for Certificates which we are tired of explaining; we need to show them some kindof certification.

    Is ISO 27001 Information Secuirty Management System the right track to achieve the “GDPR certified status”? I know this is not what we need to do ( instead we need to “teach” the customers), but when customers are adamant and we cannot lose our business, I believe it is better to “show” some kindof certification.


    • Hi Ginto,

      Unfortunately even ISO 27001 certification would only buy you ‘compliance’ with one of 99 Articles (Art. 32). Security does not equal privacy.

      Because there is no other form of certification, the only thing I can suggest is that you hire an organisation to help you self-assess yourself against the Regulation, then have them issue a “GDPR Certificate of Compliance”. This ‘certificate’ means absolutely nothing, as the caveats it contains make it clear that it’s entirely unofficial.

      I used to do this for PCI, go here for a sample: PCI Certificate of Compliance

      Yes, it’s absolute BS, but it’s not lying in ANY way. If the client is ignorant enough to insist on something that does not exist, I do not feel one iota of guilt.

      This in no way implies that you should not do GDPR properly, you should, and your contracts should reflect this, but in the end this is the controller’s (your clients) responsibility to get right.

      Sorry I can’t be of more help.


  11. David,

    I came across this Blogg while looking to book the ‘Certified’ EU GDPR Foundation and Practitioner Course, and also the DPO exam, and I couldn’t be more grateful, not only has this blogg saved my business £3646 + VAT, plus 5 days loss of earnings by taking time off from my current contracting role!! you have also answered a number questions I have been asking myself while deciding whether or not to book this ‘Certified’ training course. I now intend on spending my evening reading through your bloggs rather than spending £3646+ of my business’ money.

    Thank you!

  12. David
    This is a remarkable blog with excellent commentary. I have read the Bird & Bird document which is as you say is an excellent resource.
    I have been trying to get my energy supplier to provide my Smart Meter data in an Excel/CSV format at the half hourly level my meter sends to them and which they can read and plan how to fleece me in the future. They are refusing to provide anything other than a daily usage pdf printout which tells me nothing about the pattern of use in the day. Do you think from the 28th May companies will have to provide the information down to the level at which the customer has provided the data?

    • Many thanks! 🙂

      VERY interesting question, one I unfortunately have no answer to.

      However, from my perspective this is no different from asking me for 10 pieces of personal data, then sending me a spreadsheet with my data summarised at the category level. e.g. I give you my full mailing address and you tell me you have ‘an address’. How do I trigger my right to rectification?

      In your case they have ‘profiled’ your utility usage over the course of a day. They can, with enough of this data, tell when you are out of the house, what time you go to bed and so on. From my perspective you should have access to everything.

      I would definitely reach out to the ICO and put this them, they have been extraordinarily receptive and responsive:

      Please let me know what they come back with, my wife and I are intrigued! 🙂

      Many thanks,


  13. Thanks so much, this saved me $700.00 and additional cost once a “real” certification becomes available. I had been hesitant but could not articulate why. You put into words what I had been feeling. I work in systems integration & data migration. I know the GDPR impacts are coming, and understand my responsibility to be educated and prepared. I will (more confidently) continue on my GDPR self-education path (read the damned stuff) and look into CIPT.
    Again Thanks

  14. The points that you have made at the beginning of this blog have confused me. You quote from ISO 17024 and IBITGQ and then two points about accreditation bodies. You are correct in saying that there are no accreditation bodies in the UK at the moment who can offer certification to prove compliance with GDPR – no accreditation bodies have been set up at the moment, and yes you are correct about the ICO acting as supervisory bodies but not as an accreditation body.
    I think that the accreditation / certification of a company has been confused with training courses that are certified as compliant with ISO 17024. You can offer training to anything that you want but you cannot say it is certified to an ISO standard if it is not. The courses that you are belittling must conform with set criteria from the ISO certifying body to allow them to use this offering. I think that the provision of certified training has been confused with the provision of certification services by an accreditation body. In this context certification and accreditation bodies deal with assessing companies compliance to set requirements and not training providers. Accreditation and certification bodies should be looked at in the same way as the CBs that exist for ISO standards, the BSI and DNVs and the like. As the GDPR is a piece of legislation it is much more likely that codes of conduct will be developed rather than the ability to become a GDPR compliant ‘certified’ company – you may be able to assert that you are externally compliant but I think that ‘certification’ and certification bodies are a long way of.

    • Hi Emma,

      Not sure what confuses you? The majority of people looking at the GDPR Foundation / Practitioner courses are assuming that compliance to ISO 17024 and IBITGQ gives these ‘official sanction’. I’m pointing out that they don’t.

      I am not belittling the courses themselves, I just strongly object to the marketing which is completely misleading unless you do some homework. Yes, you should do that homework as a matter of course, but this expenditure of effort is a rare thing. And the companiesw offering this training know that.

      I am also very much belittling graduates of these ‘certified’ courses who believe that a 4 day course gives them the right to call themselves expert. Or worse, to lead an implementation effort.

      The point of ALL of my GDPRs blog is to point the reader in the right direction to educate themselves enough to begin asking the right questions. The training courses could do that, but they have chosen a far less altruistic approach.


  15. Hi David,
    What confused me was the way in which you seemed to speak of certification bodies (and their function) in the same breath as the certification gained in doing these courses. Two entirely different things.
    Doing any sort of course will not make you an expert but you have to start somewhere, I don’t think that anyone would be under the illusion that they are expert after a four day course, I believe that the ICO should have had something in place before now for a CB.
    Small businesses do not have the resources to have lawyers, privacy experts and the like on hand to help and unfortunately for them I see a lot of people being fleeced by consultants who do not have the skillset to handle an implementation, and I agree completely that these courses do not equal expertise but there needs to be a starting point.

    • I am clearly significantly more cynical that you as a) I believe that the certification bodies know full-well that the average consumer assumes that ‘certification’ means something more than it does, and b) the average consultant who have achieved ‘GDPR certification’ knows that their clients can’t tell the difference between someone who only knows a lot more than them and someone who is a true expert.

      I am a big fan of these courses as a starting point, but that’s all they can ever be.

  16. Hmm, thanks for the article David, and the ongoing discussion everyone. There’s certainly a lot of hard marketing going on – the ticking doomsday clock on a few vendors websites seems to be popular! Last week I did have a salesperson from Firebrand training tell me – categorically – that theirs is the only ISO certified DPO course. Three days to become a certified GDPR expert, and presumably shoulder the burden of GDPR responsibility for your employer thereafter? I’ll pass.

    It’s certainly an area to tread carefully, the question of liability is not often highlighted by those touting training, but it’s a thorny issue that deserves sober consideration.

    I’m really an IT and network security manager in essence, and the difficulty for me seems to be getting management to understand that GDPR isn’t actually my problem per se. I clearly cannot be the instigator of top-down organisational reform, as I’m really just a solutions provider, an enabler as you say.

    I do my share of reading and learning though, because understanding compliance is still key to the roll, but signing it off really isn’t. I do help my main client renew their CyberEssentials certificate every year, but am cognisant of the fact that even this is technically a conflict of interest, as there’s no technically competent oversight in many smaller organisations. It’s basically all dutch to the MD, so he has no idea what he is signing off anyway.

    More marketing, you should look at this one:
    I suppose it’s no bad thing to give businesses a roadmap for this stuff. CyberEssentials is not complicated but also not a trivial standard as for the most part it’s based on ISO 27001, noticeably more so this year as GDPR approaches. However the obligatory reference to GDPR certification in the pitch is arguably a bit of bait, even with the careful phrasing ‘Help me…’ ‘…readiness…’

    Fun times!


Leave a Reply

Your email address will not be published. Required fields are marked *