DPO certification should be regulated

Eric Lachaud

Research output: Working paperDiscussion paperOther research output


The Data Protection Officer (hereinafter DPO) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter GDPR) to hold this position is demanding and people having the required competences and experience are limited.
Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates.
Hence, one observes a strong demand for guaranteeing a minimum level of competences to the candidate DPOs.
Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered.
The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It encourages competition between them and raises a risk of a race to the bottom that could undermine the trust in this procedure.
The need for regulating the DPO certification stresses the necessary regulation of the other schemes established outside Article 42 regulation.
One does not find in the GDPR any restrictions preventing of regulating this type of schemes even though they are not recognized as means of accountability.
The authorities could mandate the European standardization bodies to design an harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1
It could offer the opportunity to set up a twofold regulation process for schemes entering into Article 42.1 scope and those not entering into this scope.
Original languageEnglish
Number of pages25
Publication statusPublished - 1 Apr 2018


  • Certification
  • certification mechanisms
  • GDPR


Dive into the research topics of 'DPO certification should be regulated'. Together they form a unique fingerprint.

Cite this