GDPR Certified

There is No Such Thing as GDPR Certification …Yet!

If you’re looking for real guidance on GDPR, and surprisingly few of you are, you will likely have seen vendors selling things like; Certified EU General Data Protection Regulation (GDPR) Practitioner, some of whom also promise delegates that they will be “awarded the ISO 17024-accredited EU GDPR Practitioner (EU GDPR P) qualification by IBITGQ”.

Sounds really impressive, right? Unfortunately, it doesn’t mean a damned thing:

While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification. The ‘practitioner’ course itself may cover aspects GDPR, but there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

  1. “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
  2. “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

In other words, without the ICO there is no GDPR certifications available from anyone for anything. To date the ICO have release nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.

One of the challenges is that the term ‘certification’ means several things even within the GDPR itself. From the certification of ‘appropriate measures’ between processors and controllers (GDPR Final Text, Recital 76), to the “The adherence of the processor to an approved code of conduct or an approved certification mechanism…” (GDPR Final Text, Recital 81), the nature and extent of these certifications will vary considerably.

What IS out there however are organisations offering GDPR foundation classes. These courses are designed to instruct and inform, not offer useless acronyms. It’s these courses you should be looking into, but like everything else, you must ask the right questions.

For example, if you’re:

  1. a Data Protection Officer (DPO), you will need to know how the GDPR affects your responsibilities and management reporting;
  2. a contracts lawyer, you’ll need to know how all of your vendor AND client contracts will be affected;
  3. an IT manager you’ll want to know how the GDPR will be implemented from an infrastructure perspective; and
  4.  responsible for cybersecurity, how do you demonstrate ‘appropriate measures’?

But worse than vendors trying to provide training certificates are the ones providing GDPR compliance consultancy, or worst yet, software. I can understand privacy experts and lawyers offering these services, but cybersecurity vendors!? Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. Not only that, in the ICO’s Guide to Data Protection they already mention ISO 27001 under Principle 7 – Information Security, so it’s fairly clear against which benchmark security programs will be measured.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. The first step is not to buy the first training course that comes your way, it’s to read the damned thing, then raise the awareness of GDPR to the people whose very arses are on the line. Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top. They are the ones who will be held accountable, so they are the ones who should ensure that everyone has the training and resources they need.

Every new data protection regulation is seen by vendors as a way into your wallets. The GDPR is no different. Do your homework, and ignore any organisation offering services predicated on fear, uncertainty and doubt. Or worse, utter nonsense.

[If you liked this article, please share! Want more like it, subscribe!]

71 thoughts on “There is No Such Thing as GDPR Certification …Yet!

  1. My business is certified / registered under the DPA – which broadcasts what we do with data. I am expecting this to be replaced by a GDPR registration / certification process. But who knows?? In any case it is certainly not a “training certificate” we will need.

  2. The text of the draft UK Data Protection Bill and GDPR Article 43(1).b states it is not just the Supervisory Authority who can accredit certification. An accreditation service (i.e. UKAS) can also accredit a Certification Body to issue Data Protection Certifications.

    As for IBITGQ – one needs to question whether a body which isn’t itself ISO 17024 accredited and, the same person who set up the Certification Body owns the only Accredited Training Organisation (ATO) could legitimately claim their Certifications are ISO 17024 compliant at all.

    • It all depends on what you’re looking to achieve. If you’re looking for a course to give you a background on GDPR then I have no issue with it, despite the misleading advertising. However, if you think this course is in any way sanctioned by the ICO, or if you want to use your ‘certification’ to start providing GDPR services, then you’re asking the wrong questions.

  3. I would like to become a DPO, is there any place where I can have training that will mean something? I was going to do the Distance Learning EU GDPR Foundation and Practitioner courses provided by but I am now unsure that this would mean anything to employers?

      • Typical baby boomer. One day the people who HAVE the existing skills and knowledge are going to die: do you propose that no one begins to learn/train in data protection?

      • Gen X, do your homework.

        I’m going to assume you’re a Millennial given that; 1) you don’t do any homework before posting comments, and 2) you are offended by everything, and 3) you completely missed the point of the blog which so offended you.

        In NO way have I EVER suggested that those new to GDPR/data protection should not have a part to play. What I am saying is that a 4 day course does not give you the right to tell people you’re an expert on the subject. I’ve been studying this stuff for well over a year and to this day only consider myself a novice. One who needs REAL experts to guide him.

        Would you want a doctor fresh out of medical school operating on your loved ones by themselves, or would you demand that they be closely supervised by someone who has performed that exact operation a thousand times?

        You think a 4 day course gives you the right to operate?

  4. “Whether you call them the Senior / Executive Management, the C-Suite, or the Leadership Team makes no difference, the implementation of GDPR starts with those at the top.”

    Totally true, and most of them have no clue what the law really means to them. The fines are huge, but how they will be implemented has yet to be seen. Will China, Russia and ME companies be treated the same way as EU and North American?

    I was looking to take those courses but will pass for now.

    Thanks for the warning.

  5. Hi,

    I understand there is not a an official recognize body for GDPR,however as someone in the IT security field its good to do the courses and get some certifications. I did the foundation and am already working on a project involving GDPR. I am doing the practitioner Jan 2018 to further give me more experience and knowledge. The fact is your certification gives you extra credit during any job interviews and if you have your certification with little experience you half way through the door. My advice do the course and earned the certification from a reputable training organization.

    • Hi Marko,

      As an IT security professional I believe privacy needs to become a core competence to your function, but ONLY in so far as you have enough knowledge to put what legal say into effect. We are only EVER enablers, with absolutely no business making determinations on legal basis for processing, contract language, or legitimate interest.

      So while I have no I no issue with the GDPR practitioner course [other than its very misleading advertising] for


      on the GDPR, to use this ‘certification’ to


      GDPR project in unconscionable.

      I will be taking the Certified Information Privacy Technologist (CIPT) and Certified Information Privacy Professional/Europe (CIPP/E) from IAPP early next year, both of which blow the practitioner course away. But I STILL won’t be leading a GDPR project, ever.

      Good luck to you,


      • HI David,
        I am a Business Analyst, and like Marko I would like to move into compliance and gain GDPR certification. I was considering going with IT Governance (£2,000) or Henley Business School (£8,500) for the Foundation and Practitioner courses. However, after reading your posts I am now considering taking the same courses you mentioned above.

        Please can you let me know the training company for the Certified Information Privacy Technologist (CIPT) that you are using?

        One last point (I think…..), I have spent the past two months studying GDPR, and like Marko, I want to lead a GDPR implementation, and become a DPO.
        In your opinion, would I be better taking the same two courses you mentioned, along with researching GDPR to offer awareness to companies and enable me to put into practice processes and procedures to meet GDPR compliance.

        ….Another last point…. would I be better with the two certificates you mentioned or a GDPR Practitioner qualification on my CV when applying for jobs? How would companies view each qualification when recruiting someone with GDPR knowledge to help them conform with the EU GDPR compliance?

        Thank you,

      • Hi Michael,

        I am not using a training company, the IAPP certifications are self-study based on a number of books that they provide. e.g. Introduction to IT Privacy – A Handbook for Technologists

        No offence Michael, but if all you have done is study the GDPR for a couple of months you are in no way qualified to lead an implementation or become a DPO. You are not a privacy expert or a lawyer, so you should not be attempting to determine the lawful basis for processing, nor should you be composing the requisite contractual language or privacy notices.

        DPO is not a title and absolutely not a certification, it’s a function. Unless you have been doing the work of a DPO for a number of years you need to refocus.

        As a Business Analyst there is a LOT of work for you to do. From helping to map the data flows to business processes to working with the IT side of your organisation in reducing the risks associated with having the data in the first place. Stick to what you know.

        Implementation of GDPR is a group effort with absolutely no room for guesswork. The DPO role will likely attract civil penalties in the case of egregious offence, don’t put yourself in that position.

        By making the effort you will get your piece of the pie Michael, make sure it’s the right piece.



      • HI David

        Thanks for your article, it makes a lot of sense. Regarding CIPT and CIPP/E certification you mentioned you will be following the self-study path. I looked at website for resources.
        If you know books required for CIPT and CIPP/E respectively would really help me to start with my studies.


      • Hi Ahmad,

        That information is available on the website for both courses. Here’s CIPT, I’ve not looked at CIPP/E yet:

        CIPT Bibliography 2.0-LW-2015-FINAL.pdf (
        CIPT_BoK.pdf (
        CIPT_EBP.pdf (
        IAPP_Privacy_Certification_Candidate_Handbook.pdf (

        Good luck,


      • I really hope you won’t be leading a GDPR project, David. No offence meant, but if you think that IT should only be enablers of legal functions – the very one who have spread FUD over GDPR for over two years – then you are better not 🙂


      • Of course I won’t be leading a GDPR project, I’m not QUALIFIED. Lawyers (or equiv.) set the lawful basis for processing, IT makes it happen in the back end, not the other way around.

        And as for lawyers spreading FUD, EVERYONE has done that, ESPECIALLY security companies.

  6. Hello David and MANY THANKS for all the great articles you publish- You are by far the only person so far who makes sense in this all GDPR frenzy.
    My question is relatively simple I guess: I am currently in the final stage of concept validation for an employee HR admin app for SMEs, before I build it. Would I be correct in thinking that as long as I read, understand (thanks to your GDPR in plain English), interpret, document and implement our processes based the principles of GDPR in my startup, I am being pro-active towards compliancy and therefore should the ICO conduct an audit, I should be in a good stance?

  7. David,

    While doing some research about the certification regime under the GDPR, I came across your blog. I found it interesting and useful in the context of a new Regulation, with so much fear used as a marketing tool. I especially like the fact that you adopt a clear position in your writing, which differs from others trying to oversell services and products they may not master in the context of the GDPR. I also like your advocacy for privacy lawyers 😉

    Jokes apart, now on the certification topic, some additional thoughts, which I hope may be helpful for this article:

    – The “Recommendations on European Data Protection Certification” issued by the ENISA. This document reminds that, under the GDPR, certification is a voluntary decision and is “an accountability-based mechanism”, which can be used to demonstrate compliance towards the authorities (art. 5 (2) GDPR).

    However, the crucial part (§ 3.2, p.13) says that “compliance with the GDPR is not possible to be certified”. What you can certify is “compliance with (or else: conformity to) certification criteria that are derived from the GDPR.”

    “Compliance with such criteria entails that a controller or processor at a certain period in time has taken measures to ensure that it fulfils certain obligations, for instance to secure personal data in a given processing operation”.

    Also, it is worth noting that, a certification or a seal mark provided by an authority (such as CNIL Privacy Seals) does not constitute an exemption of administrative fines, which may be imposed despite being certified.

    Also the aim andscope of Article 42 and 43 GDPR are pretty limited, where it relate to data processing operations, although other references to certifications are mentioned in the GDPR about data security (art. 32) and data protection by design/default (art. 25).

    Finally, the GDPR will not be fully harmonized Regulation as more than 60 provisions allow Member States to implement exceptions. Local laws will contain different provisions and practice even if the aim is to coordinate, cooperate and remaining consistent with the EU. Therefore, harmonized certification schemes and their recognition is another challenge.

    Hope this helps, but this is just a lawyer’s perspective.

    Link to the ENISA recommendations:

      • Hi David, of course you can! There are more articles in French, but if you think it is worth, then feel free to share. Thanks for your comment and all the best by 25 May 2018 😉

    • Hi Gabriel and David,
      Thanks David for the great article and thanks to Gabriel for highlighting the legal aspect. I am a young lawyer and i want to focus my career in law and technology. I was considering some of these certifications that would be relevant to my law degree and masters in humanitarian law and conflict. However with a lot out there, i get so confused, i’d also thought of adding a bit of computer forensics certification to get me grounded in the field.
      I will greatly appreciate your advice and direction.

  8. David,

    You have confirmed all of my concerns around these courses and ‘certifications’ I too am searching for the ‘ultimate guide & practice’ around GDPR but you won’t find are correct, it is a function not a course!! As an HR Consultant & Practitioner, I have huge concerns around providing guidance to clients when I feel the information out there is far too open to (mis)interpretation and is very vague…I have downloaded a truck load of information from Data Commissioner’s website as a start point and I’m just going to read, study and try to understand it….what do you suggest next?
    Thanks again for that brilliant insight that has fully validated my own opinion on this

    • Hi Fionnuala,

      Thank you for the kudos! 🙂

      Honestly, there is only one thing I can see that I have done differently from you. I have read as much as I can on the subject, but then I put my opinions out there for everyone to see. My blogs are stand-alone, but they also go to LinkedIn, Twitter, Peerlyst etc. to get torn apart by those with far more knowledge on the subject than I will ever have.

      Privacy is not my domain, cybersecurity is, but I need to know as much as I can about privacy in order to help my clients avoid the charlatans, as well as put my services into an APPROPRIATE context. You are in HR and I recomend that you do the same thing in your domain.

      Believe me, if people disagree with you, they will let you know, and the vast majority of those ‘corrections’ come with significant guidance attached.

      That said, my best clients are the ones who are also educating themselves, so I tell them to READ the damned thing. But to make things a little easier, I have put together a GDPR in Plain English spreadsheet.

      Good luck, and please feel free to reach out directly if I can help you in any way;


  9. Hey David,

    Great work from you by writing such blogs!

    I am an amateur in GDPR. What do you suggest where do I start from? I understand the certifications are useless. However how does one get a concise way of studying GDPR rules? Is there a book or something?
    P.S I am from hospitality background and am curious to the effects it is going to have in my industry.


    • Thank you Shashwat.

      I am an amateur too, so are the vast majority of people claiming expertise unfortunately.

      I have not read any books, though they are some out there now. All I did was read the GDPR from start to finish, read it again, then once more. I put the whole thing into a spreadsheet and translated it to the best of my ability into plain English and ran the result past a REAL expert to make sure I had it right.

      All I’ve done since then is to read everything I can get my hands on from the ICO, the Article 29 Working Party, law firms (Bird & Bird for example) even LinkedIn.

      The reason I post these blogs is not to teach other what I know as much as they are exposing what I THINK I know to smarter people. If I have to go through the effort to research something, actually write about, then post it for all to see, I’d better be fairly sure of my facts. I am still corrected frequently.

      I do this for my industry vertical (cybersecurity) I recommend you do the same for yours, there are some very generous experts out there, you just have to look for them.

      Good luck!


  10. Hi David,

    This is indeed an eye opener. Thanks a ton!
    Can you please tell me if I am headed in the right direction? – I have an Application Development and Server Management company in India, with most of the business from the European countries. Since the GDPR is going to be kickedoff(?) from May, some of our Customers started asking for GDPR certification. From your amazing blog and other readups, it is pretty much clear that there is no “body” to authorize a certificate or it is a practice to implemented in the organization.

    Now, our customers who does not want to hear/read any of this keep asking for Certificates which we are tired of explaining; we need to show them some kindof certification.

    Is ISO 27001 Information Secuirty Management System the right track to achieve the “GDPR certified status”? I know this is not what we need to do ( instead we need to “teach” the customers), but when customers are adamant and we cannot lose our business, I believe it is better to “show” some kindof certification.


    • Hi Ginto,

      Unfortunately even ISO 27001 certification would only buy you ‘compliance’ with one of 99 Articles (Art. 32). Security does not equal privacy.

      Because there is no other form of certification, the only thing I can suggest is that you hire an organisation to help you self-assess yourself against the Regulation, then have them issue a “GDPR Certificate of Compliance”. This ‘certificate’ means absolutely nothing, as the caveats it contains make it clear that it’s entirely unofficial.

      I used to do this for PCI, go here for a sample: PCI Certificate of Compliance

      Yes, it’s absolute BS, but it’s not lying in ANY way. If the client is ignorant enough to insist on something that does not exist, I do not feel one iota of guilt.

      This in no way implies that you should not do GDPR properly, you should, and your contracts should reflect this, but in the end this is the controller’s (your clients) responsibility to get right.

      Sorry I can’t be of more help.


  11. David,

    I came across this Blogg while looking to book the ‘Certified’ EU GDPR Foundation and Practitioner Course, and also the DPO exam, and I couldn’t be more grateful, not only has this blogg saved my business £3646 + VAT, plus 5 days loss of earnings by taking time off from my current contracting role!! you have also answered a number questions I have been asking myself while deciding whether or not to book this ‘Certified’ training course. I now intend on spending my evening reading through your bloggs rather than spending £3646+ of my business’ money.

    Thank you!

  12. David
    This is a remarkable blog with excellent commentary. I have read the Bird & Bird document which is as you say is an excellent resource.
    I have been trying to get my energy supplier to provide my Smart Meter data in an Excel/CSV format at the half hourly level my meter sends to them and which they can read and plan how to fleece me in the future. They are refusing to provide anything other than a daily usage pdf printout which tells me nothing about the pattern of use in the day. Do you think from the 28th May companies will have to provide the information down to the level at which the customer has provided the data?

    • Many thanks! 🙂

      VERY interesting question, one I unfortunately have no answer to.

      However, from my perspective this is no different from asking me for 10 pieces of personal data, then sending me a spreadsheet with my data summarised at the category level. e.g. I give you my full mailing address and you tell me you have ‘an address’. How do I trigger my right to rectification?

      In your case they have ‘profiled’ your utility usage over the course of a day. They can, with enough of this data, tell when you are out of the house, what time you go to bed and so on. From my perspective you should have access to everything.

      I would definitely reach out to the ICO and put this them, they have been extraordinarily receptive and responsive:

      Please let me know what they come back with, my wife and I are intrigued! 🙂

      Many thanks,


  13. Thanks so much, this saved me $700.00 and additional cost once a “real” certification becomes available. I had been hesitant but could not articulate why. You put into words what I had been feeling. I work in systems integration & data migration. I know the GDPR impacts are coming, and understand my responsibility to be educated and prepared. I will (more confidently) continue on my GDPR self-education path (read the damned stuff) and look into CIPT.
    Again Thanks

  14. The points that you have made at the beginning of this blog have confused me. You quote from ISO 17024 and IBITGQ and then two points about accreditation bodies. You are correct in saying that there are no accreditation bodies in the UK at the moment who can offer certification to prove compliance with GDPR – no accreditation bodies have been set up at the moment, and yes you are correct about the ICO acting as supervisory bodies but not as an accreditation body.
    I think that the accreditation / certification of a company has been confused with training courses that are certified as compliant with ISO 17024. You can offer training to anything that you want but you cannot say it is certified to an ISO standard if it is not. The courses that you are belittling must conform with set criteria from the ISO certifying body to allow them to use this offering. I think that the provision of certified training has been confused with the provision of certification services by an accreditation body. In this context certification and accreditation bodies deal with assessing companies compliance to set requirements and not training providers. Accreditation and certification bodies should be looked at in the same way as the CBs that exist for ISO standards, the BSI and DNVs and the like. As the GDPR is a piece of legislation it is much more likely that codes of conduct will be developed rather than the ability to become a GDPR compliant ‘certified’ company – you may be able to assert that you are externally compliant but I think that ‘certification’ and certification bodies are a long way of.

    • Hi Emma,

      Not sure what confuses you? The majority of people looking at the GDPR Foundation / Practitioner courses are assuming that compliance to ISO 17024 and IBITGQ gives these ‘official sanction’. I’m pointing out that they don’t.

      I am not belittling the courses themselves, I just strongly object to the marketing which is completely misleading unless you do some homework. Yes, you should do that homework as a matter of course, but this expenditure of effort is a rare thing. And the companiesw offering this training know that.

      I am also very much belittling graduates of these ‘certified’ courses who believe that a 4 day course gives them the right to call themselves expert. Or worse, to lead an implementation effort.

      The point of ALL of my GDPRs blog is to point the reader in the right direction to educate themselves enough to begin asking the right questions. The training courses could do that, but they have chosen a far less altruistic approach.


  15. Hi David,
    What confused me was the way in which you seemed to speak of certification bodies (and their function) in the same breath as the certification gained in doing these courses. Two entirely different things.
    Doing any sort of course will not make you an expert but you have to start somewhere, I don’t think that anyone would be under the illusion that they are expert after a four day course, I believe that the ICO should have had something in place before now for a CB.
    Small businesses do not have the resources to have lawyers, privacy experts and the like on hand to help and unfortunately for them I see a lot of people being fleeced by consultants who do not have the skillset to handle an implementation, and I agree completely that these courses do not equal expertise but there needs to be a starting point.

    • I am clearly significantly more cynical that you as a) I believe that the certification bodies know full-well that the average consumer assumes that ‘certification’ means something more than it does, and b) the average consultant who have achieved ‘GDPR certification’ knows that their clients can’t tell the difference between someone who only knows a lot more than them and someone who is a true expert.

      I am a big fan of these courses as a starting point, but that’s all they can ever be.

  16. Hmm, thanks for the article David, and the ongoing discussion everyone. There’s certainly a lot of hard marketing going on – the ticking doomsday clock on a few vendors websites seems to be popular! Last week I did have a salesperson from Firebrand training tell me – categorically – that theirs is the only ISO certified DPO course. Three days to become a certified GDPR expert, and presumably shoulder the burden of GDPR responsibility for your employer thereafter? I’ll pass.

    It’s certainly an area to tread carefully, the question of liability is not often highlighted by those touting training, but it’s a thorny issue that deserves sober consideration.

    I’m really an IT and network security manager in essence, and the difficulty for me seems to be getting management to understand that GDPR isn’t actually my problem per se. I clearly cannot be the instigator of top-down organisational reform, as I’m really just a solutions provider, an enabler as you say.

    I do my share of reading and learning though, because understanding compliance is still key to the roll, but signing it off really isn’t. I do help my main client renew their CyberEssentials certificate every year, but am cognisant of the fact that even this is technically a conflict of interest, as there’s no technically competent oversight in many smaller organisations. It’s basically all dutch to the MD, so he has no idea what he is signing off anyway.

    More marketing, you should look at this one:
    I suppose it’s no bad thing to give businesses a roadmap for this stuff. CyberEssentials is not complicated but also not a trivial standard as for the most part it’s based on ISO 27001, noticeably more so this year as GDPR approaches. However the obligatory reference to GDPR certification in the pitch is arguably a bit of bait, even with the careful phrasing ‘Help me…’ ‘…readiness…’

    Fun times!


  17. Hi David,

    I’m also starting to question the IBITGQ as an ‘independent’ organisation. It seems to be established by IT Governance and appears to be a trojan marketing vehicle for this commercial organisation. Can you confirm?
    If this is true, it’s unfortunate that you have perhaps unintentionally lent some legitimacy to them through this blog post.

    • Hi Liam, many thanks for your comments.

      Nope, I’ve not looked into it inthat kind of depth, but I really don’t see this as any different to any organisation offering ‘certifications’.

      CISA, CISSP, CEH are all well established and respected certifications, and all are ‘commercial’ in nature. Anything that raises the standard, as well as the bar for entry, is a good thing, but they all need perspective.

      It does not matter how ‘official’ a certification or even certifying body is, there will always be those who twist it for their own ends. It’s up to the individual to ask the right questions, and not rely on acronyms.


      • Hi David,
        This is a good point you make – many professional bodies and certification organisations are made up of commercial members (and not just in infosec). The difference with IBITGQ is that there appears to be just one member and only one certified training organisation. If IBITGQ has (as claimed) been around since 2011, for it to have any real value you would expect it to have substantially more than this by now.

  18. I agree on almost everything you wrote. Just disagree on one aspect: information security is not 5% of GDPR compliance, but 85% I would say. Because IT security are processes and tecnical measures to enforce GDPR provisions. Without them, there is no data protection. Without information security, articles 24, 25, 32, 33,34, 35 and 26 are almost meaningless.
    What GDPR calls DPIA is risk management, which is a well enstablished concept in the engineering field.

    • Clearly you are in IT security! 🙂 I wish it was 85%, but it just isn’t. The only Article directly related to DATA security, as opposed to security of PROCESSING, is Article 32. The other Articles you mention are, once again, only ~5% data security. Even a ‘data breach’ does not necessarily mean data loss through hack.

      You have to remember, data protection is NOT data security, you cannot read into the GDPR what you want it to mean.

  19. David,

    In case you haven’t come across this, in the context of ISO certification and the GDPR, the IAPP, together with their business partner “Onetrust”, just released a whitepaper called “Bridging ISO 27001 to GDPR”.

    It is interesting to read differences and similarities, both relating to the wording and the goals.

    I think that this is a great document, which can be used to better tackle security and privacy from both an infosec or a regulatory (or legal) point of view, or both!

    You can find the whitepaper here:

    By the way, congrats for the success of your blog and the huge efforts you use to contribute to a better understanding of this technical area.


  20. Hi David, like many others I came across your incredible blog while searching for GDPR certification. I have an interview this Wednesday for a DPO role with an NHS Trust. The person specification specifically says

    “ISO 17024- accredited GDPR Foundation and Practitioner certificate

    Evidence of further education in the application of ISO/IEC
    27002:2013 and other associated standards.

    Evidence of formal training on Data Protection Act and
    Freedom of Information Act.

    Evidence of continuing professional development.”

    Wonder if I have the nerve to tell them their person spec is wrong and there is no such accreditation?!!!

    • Hi Chris, many thanks for your comments!

      I’d be a little careful with the first one, as an “ISO 17024- accredited GDPR Foundation and Practitioner certificate” is a perfectly valid request. ISO 17024 is what I call a certification for certifications, which is fine, but has zero input to the usefulness of even accuracy of the content. What you end up with is a better course than most, but no guarantees whatsoever that the certified person knows what the Hell they are talking about.

      But to then ask for further education in the APPLICATION of ISO 27002 suggests they are also looking for a security expert. One who can assess the implementation of an ISMS. In my experience there are VERY few true experts in BOTH data security AND data protection, though the GDPR is forcing these 2 very different skill-sets to converge.

      I would highly recommend that you DO tell them that they are asking the wrong questions (nicely of course :), because if you don’t, and they end up hiring you, they will have very different expectations of what success looks like. You really don’t want to get caught in the middle of that.

      Best of luck mate!

    • There are several accreditations and many are valid especially IAPP. A certification is proof that you have completed a course of study and passed an exam. It is wrong to say they have no value because they do have value, to you and to those benefitting from your knowledge. The more courses you do, exams you take and practical experience you get, the more you will be able to demonstrate your knowledge. There will of course be a stage where you will, should you wish to, be able to offer your services as a ‘practitioner’.

      • I wrote this blog in April 2017, when the ‘certification’ landscape was VERY different. In the panic, too many people and organisations mistook ‘practitioner’ for expert, and there is not one certification that makes anyone an expert in anything.

  21. You make a valid point David, I agree with what you are saying I looked into it and had the same conclusion.
    There are two points, what this course gives you is a piece of paper that says you have gone over the requirements of GDPR and have a knowledge base from which to start. The other point is that companies are asking for this in their employment briefs. It is basicaly how a lot ofcertifications start take Cisco or CISSP.
    For those reading there is another point and that is the new data protection law (DPA2018) for the UK will build upon this, GDPR its self, still has a number of ambiguous statements which will require case law.
    There are companies pushing people into DPO roles and as David said there is more to it then GDPR. I have sat the course for the paper and even having been involved in GDPR for the last few years itwas useful, especially seeing the people on the course and hearing their experiences. Even though I meet the criteria of a DPO have been involved in it with very large organisations, am a security “expert” by that I mean qualified with a Masters and all the other qualifications, certifications and years of experience. A DPO role has a lot of responsibility and accountability which is not something you take just take up by doing any course, you need background, I would rather be an advisor than the DPO.

    • Many thanks for your comments Ken.

      Your comment; “The other point is that companies are asking for this in their employment briefs.” sadly rings true as I had another comment about that very thing. It’s easy for me to say that if an organisation cannot ask me the right questions and KNOW what qualification / experience are actually important, then I don’t want to work for/with them. But the ignorance is so pervasive that even I am thinking of taking the damned course!

  22. Hello David, Thanks for the great article. I am in India running an established subscription based website which is hosted in the US, which has members from all across the globe. I am in the process of making my site as GDPR compliant as possible by putting in more security at the site and database level and also clear declarations, on the relevant pages, concerning data retention and the process of opening and closing accounts. My problem is even if I put all this in place, how can I be sure that I have taken all the adequate steps? My website just earns a a few hundred dollars a year so I cannot afford to hire lawyers or DP experts. I think this scenario is true of about 90% of the websites out there. I am also curious to know in what way does someone in EU submit a GDPR issue for a website? Is there a standard audit or does someone have to first report the website or is it still something which is vague and unclear? Thanks in advance for your valued feedback.

    • “GDPR issues” are submitted to the relevant supervisory authorities (the ICO in the UK for example; If you are doing your best (and it sounds like you are) I’d would say you have very little to worry about. At this stage supervisory authorities have zero capacity to be pro-active agains small business, so just don’t put yourself above the radar.


  23. David,

    Working for a Security firm our clients often seek “creds” as an assurance that whoever we send on an engagement has some clue on the subject matter. Certification here is referencing individual expertise not certifiying a company as GDPR compliant per see.
    By no means does any course make you an expert in anything. However, it does show clients that you do posses some knowledge of the GDPR. Having completed training and passing an exam is better than just professing your expertise because you read a book on it. I took this training and passed the course. I found their instructor knowledgeable and gained valuable insight on performing a GAP analysis and DPIA’s. Sure its not a CISSP or a CIPP/E but I would trust in an individual with the EU GDPR P certificate over one that simply claims to have expertise. $700 well spent in my book. Until the ICO developes their own training and certification in similar fashion to that of the PCISSC and QSA/ISA training/certification. Which by the way(as a former ISA) was in my opinion even easier to obtain.

    • Thanks for your comments Gary.

      I have no problem with the EU GDPR P certificate as a starter course, what I object to is people with the certification using it to lead GDPR projects. Yes, the company who hires them is just as culpable, but I have seen too many individuals misrepresent themselves.

      As for the certificate being better than reading a book, I will disagree. Maybe ONE book, but I have spent the last year and half reading everything I can lay my hands on and I will pit my knowledge against anyone who has gone the certification route.

      The real data security experts have either degrees in it, or many YEARS of experience, or both. The rest of us are just scratching the surface and should use things like certification to enable us to do our day jobs with a little more context. nothing more.

      And I agree, ISA/QSA training is crap.

  24. Hi David

    Thank you for your post. I’m a lawyer currently responsible for data protection within my company’s in-house legal team. I’ve completed both the foundation and practitioner IT governance courses for two main reasons – 1), to have them on my CV and 2) in case I want to try and move into a less “legal” role – e.g. that of DPO (I realise I lack the practical experience, but think it will at least help me get a foot in the door).

    My query is surrounding IT security. This is something I have a very basic knowledge of (embarrassingly so, I’d expect), but it’s also something I’m very keen to develop my skills and understanding in. I understand that learning from a textbook cannot beat learning through working practically within IT security, but I wondered if you knew any basic/foundation course that I could take to try and increase my knowledge (and add to my CV)! I’m very keen to learn!

    Many thanks for your help.


    • Hi Rachel,

      By far your best option is the Certified Information Systems Security Professional (CISSP) available from If there was a defacto certification in cybersecurity this is the one.

      However, for someone not in the field it will be a very significant level of effort, it’s not easy (even for security professionals), but with your goal of DPO in mind, it’s by far the most appropriate. The 8 Common Bodies of Knowledge (CBK) cover a decent number of security’s foundations, and the fact that you committed to it will look very good on your CV. Besides, if you got through a law degree you clearly have what it takes!

      Best of luck and please reach out if there is anything more I can do to help.


  25. Hi David –

    Thanks for this really informative post, and thanks for cutting through all the noise around GDPR certification. I’m coming to this topic as representative of a certification body (certified to ISO 17065) with a parent association looking to provide this future service to member companies looking for compliance certification. We’re in the market research space, and there is also a parallel effort underway in the EU for adopting a GDPR Code of Conduct, with the relevant ‘teeth’ behind it to gain approval and acceptance from the EDPB, European Commission, and any other EU entity that needs to weigh in.

    Like you, I am reading every resource I can on the subject – for companies, not individuals – and seem to keep finding the same answer. A ruling is coming, and soon, but nothing more than that. I’ve devoured (3 times and counting) the EDPB “Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679”.

    My questions to you are: Have you heard/read anything more definitive than what’s already available? What are your thoughts around how a GDPR compliance audit (with the certification as the goal) would work? Do you foresee that the ‘auditors’ themselves would have to hold some kind of certification (CIPP, CIPP/E, CIPP/US, etc.) to give their compliance audit the gravity needed for formal recognition?

    Lots of question, and so many unanswered questions, and I do appreciation and thoughts or opinions you have on the subject of GDPR certification for organizations.


    • Hi Juliana,

      Thank you for taking the time to write.

      I have read nothing new on the subject of certification unfortunately, and don’t really expect to any time soon.

      To answer your questions (from my non-GDPR expert perspective), here is how I would LIKE to see certification organised:

      1. Certification is optional unless the organisation processes ‘large quantities’ of high-risk data (sensitive data or 3rd country transfers etc);
      2. Certification is self-assessed unless a breach occurs at which point an ‘audit’ organisation will be assigned;
      3. Certify bodies will have to demonstrate appropriate skill-sets, including linked certification (CISSP for security, CIPP/E for data protection, legal experience for contracts and determination of lawful basis etc.);
      4. A voluntary mechanism leading to full certification should be available to those wanting to differentiate themselves from their competition.

      I think I’ll write a blog on this actually…

      All the best.


  26. Thanks for your thoughts on this, David! I appreciate your scope of a certification process, very interesting. I definitely agree on #3, and look forward to some direction from the EC, EDPB, etc., on all of this.

    I’ll look forward to a future blog on the subject, too!

    All best –

  27. Hi David, Do you know if there are any valid certification courses now available? If so, can you point me to them? Also, thanks for this article, I was about to sign up for a course which promised certification.

    • Hi Richard,

      I can only speak for the UK, but no, there are no ‘official’ certification mechanisms available yet. For individuals or organisations.

      I’ll be all over it when/if they are, so stay tuned! 🙂


  28. Hi David,

    Very nice article and I’m in total agreement.

    Companies are definitely screaming out for some kind of compliance mechanism for certification. Two I’ve come across and am working through notwithstanding no EDPB approval:

    The “looks good” model, similar to a paper based 27001 scope, or other “self cert. questionnaire” model of certification is beginning to become the norm if a company is even bothering with the above examples of certification mechanism.

    I’ve heard too many sales people saying their company is GDPR compliant which just makes my right eyelid flicker.

    This is still like a San Andreas fault line in my mind, maybe more on an individual company basis rather than the onslaught of fines expected or the storm of Subject Access Requests for all companies. Its just knowing when the small internal quakes are leading to the “BIG ONE”.

    I can only see the knowledge base in this area becoming more valuable for people working on the fault-line as best they can trying to hold it back considering the internal politics involved in building quake resistant structures.


If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.