GDPR Certified

There is No Such Thing as GDPR Certification …Yet!

If you’re looking for real guidance on GDPR, and surprisingly few of you are, you will likely have seen vendors selling things like; Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”.

Sounds really impressive, right? Unfortunately, it doesn’t mean a damned thing:

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself may cover aspects GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

  1. “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
  2. “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have release nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.

One of the challenges is that the term ‘certification’ means several things even within the GDPR itself. From the certification of ‘appropriate measures’ between processors and controllers (GDPR Final Text, Recital 76), to the “The adherence of the processor to an approved code of conduct or an approved certification mechanism…” (GDPR Final Text, Recital 81), the nature and extent of these certifications will vary considerably.

What IS out there however are organisations offering GDPR foundation classes. These courses are designed to instruct and inform, not offer useless acronyms. It’s these courses you should be looking into, but like everything else, you must ask the right questions.

For example, if you’re:

  1. a Data Protection Officer (DPO), you will need to know how the GDPR affects your responsibilities and management reporting;
  2. a contracts lawyer, you’ll need to know how all of your vendor AND client contracts will be affected;
  3. an IT manager you’ll want to know how the GDPR will be implemented from an infrastructure perspective; and
  4.  responsible for cybersecurity, how do you demonstrate ‘appropriate measures’?

But worse than vendors trying to provide training certificates are the ones providing GDPR compliance consultancy, or worst yet, software. I can understand privacy experts and lawyers offering these services, but cybersecurity vendors!? Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. Not only that, in the ICO’s Guide to Data Protection they already mention ISO 27001 under Principle 7 – Information Security, so it’s fairly clear against which benchmark security programs will be measured.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. The first step is not to buy the first training course that comes your way, it’s to read the damned thing, then raise the awareness of GDPR to the people whose very arses are on the line. Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top. They are the ones who will be held accountable, so they are the ones who should ensure that everyone has the training and resources they need.

Every new data protection regulation is seen by vendors as a way into your wallets. The GDPR is no different. Do your homework, and ignore any organisation offering services predicated on fear, uncertainty and doubt. Or worse, utter nonsense.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Certifications

Security Certifications Are Just the Beginning

We’ve all seen these signature blocks;

[Name], CISSP, CISM, CISA, QSA, CRISC, CGEIT, PCIP, ISO LA, ITIL, Prince II, blah, blah….

These acronyms belong in two places; your LinkedIn [and equivalent] profile, and your CV/Resume/Bio. They have no place in your email signatures, nor on your business cards.

It’s not like we studied for a number of YEARS to get a MSc, or PhD. We read a book, and passed a multiple choice exam. We didn’t even have to know how to IMPLEMENT what we learned, we just had to memorise and regurgitate. Most questions end up being a 50/50 guess anyway if you don’t actually know the right answer.

I’m not saying certifications are totally meaningless, they are a great beginning for those trying to break into the cybersecurity industry, but once in, it’s your experience that needs to do the talking for you. Or better yet, the clients you helped do the talking for you. Your certifications show that you have some commitment, and who knows, maybe you’ll even learn a couple of things that are useful. But these things don’t help you much when you’re face-to-face with a real client asking for your guidance, and all you can do is read from a book.

Learning anything new is messy. You’re clumsy at first, you make LOTS of mistakes, and you may begin to doubt yourself. But get past that first client, the one who you helped …eventually, the one who actually thanked you afterwards, and THAT’S when your learning really starts. You EARNED that, and it’s not a feeling you’ll ever get from an acronym or a book.

With security, there are no certification that really get to the fundamental point, the meaning behind all of this. I guess CISSP gets the closest because its 10 Common Bodies of Knowledge (CBKs) cover things from Risk Management to Business Continuity, but no-one really cares about that stuff at senior leadership level, it’s just detail.

What’s important is STAYING in business, growing, going international, going public, shareholders and so on, and not one certification out there helps you explain to the CEO how IT and IT security can help get them there. No certification ever will, it’s something you have to learn for yourself, and something that will change with every client with whom you work.

There are no certifications for, or shortcuts to, being a consultant who ‘gets it’.

I have likened security to insurance, but that’s not really fair. Selling security is like selling insurance, but in the end insurance is just risk mitigation, security is business enablement. Security is not the goal, and it’s easy to get caught up in the moment and forget why we are really there in the first place.

So, as for your signature blocks, far better I think is to have the number of years you’ve been in cybersecurity, and the number of clients you’ve helped. Something like;

David Froud

Years In Cybersecurity: 17, Clients Helped: Hundreds

Think it’ll catch on? 🙂

[If you liked this article, please share! Want more like it, subscribe!]