Certification of Data Protection Officers Should Be Regulated

Abstract

The Data Protection Officer (hereinafter “DPO”) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter “GDPR”) to hold this position is demanding and people having the required competencies and experience are limited. Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are a little lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates. A strong demand for guaranteeing a minimum level of competences to the candidate DPOs is being observed. Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered. The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It also encourages competition between them and raises a risk of a race to the bottom that could undermine trust in this procedure. The GDPR does not provide for any restrictions preventing of regulating the schemes established outside Article 42 even though they are not recognized as possible means to instill accountability. The authorities could mandate the European standardization bodies to design a harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1 of the GDPR. The solution envisioned could offer the opportunity to set up a twofold regulation process for data protection certification, one dedicated to the schemes falling within the scope of Article 42.1 scope and another one for those not falling within this scope.