Greetings from Brussels!
There still remains considerable debate surrounding the questions of data protection staff training and certification in Europe and beyond. You only have to view daily social media chatter and blogs to find an array of opinion (and criticism) on market offerings out there. Notably, with the advent of EU General Data Protection Regulation, there has been an exponential emergence of players in the training arena with offerings, claiming GDPR and/or DPO expertise. And while it is welcome to see a burgeoning industry from tech vendors to training providers in support of privacy functionality, one should really step back and look to benchmark the diverse market offers in conjunction with their needs. As with any industry, there is “the good, the bad, and the downright ugly.”
Increasingly, industry and privacy pros look to European regulators to advise on such matters; GDPR guidance emanating from the WP29 and independently from the national watchdogs has, to date, been a critical factor and influence in how organizations tackle and plan their GDPR compliance and implementations projects. The recurrent question my colleagues and I are increasingly asked is: How does one select training and certification from what is on offer. Furthermore, in my interactions with regulatory offices, they too appear to be inundated with information requests on the subject.
I started commenting on this back in August in my weekly editorial, and perhaps you’ll remember that the Irish Data Protection Commissioner released guidance on training and related appropriate qualifications for a data protection officer. In summary, the Irish DPC recommended that the following non-exhaustive list of factors be taken into consideration when selecting the appropriate DPO training program: actual content and the means of the training and assessment; whether training leading to certification is required; the standing of the accrediting body; and whether the training and certification is recognized internationally.
There is a wide variety of data protection credentials in the marketplace, with differing requirements and features. These credentials may also be subject to varying levels of (independent) third-party oversight and validation (accreditation). Understanding these differences will help organizations and individuals to make the right choice for the task at hand. In what concerns the IAPP, we have obtained our accreditation from the third-party ANSI that speaks to our credential quality and integrity in line with ISO standard 17024. In short, a formal process known as a “Job Task Analysis” is undertaken to determine what professionals in a particular field do, under what conditions, and with what levels of knowledge and skill. The JTA is a rigorous requirement for accreditation under ISO 17024. Moreover, there is an annual audit undertaken by ANSI to ensure that our credentials are up-to-date and relevant. This independent accreditation provides a high degree of assurance as to the substance and integrity of our certification program.
Another important feature of the ISO 17024 in the continuing education associated with the credential; this is a requirement to maintain the international ISO standard credentials as relevant and credible. It stands to reason that with compliance evolution, in a fast-paced innovative (and disruptive) working environment, ongoing education is increasingly desirable and commonplace in organizations; the professional training and credential market is increasingly a strategic and competitive driver for organizations around the world. I recently spoke to a European CEO of a cloud service provider who said to me, “If you are not constantly learning and adapting to developments in your industry, you become increasingly irrelevant and possibly redundant within a time frame of two years.” He was adamant that employee education and training be fundamental to organizational culture to be competitive. The absence of that argument wasn’t worth contemplating in his view.
At the IAPP, we certainly share this view and, through our diverse offerings and connections to a broader professional community, feel that we are meeting the needs and ongoing educational requirements of the privacy profession. Our privacy members and volunteers work diligently to ensure that we are relevant for the global community wherever they find themselves. A recent example of that commitment is our announcement that we will be offering the CIPP/E and CIPM credential exams in French and German. We continue to listen to the community and plan for the future. Clearly, privacy and data protection from a compliance and business enablement perspective will remain mainstream for the foreseeable. There is much to be done.