DPO certification should be regulated

Research output: Working paperDiscussion paperOther research output

Abstract

The Data Protection Officer (hereinafter DPO) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter GDPR) to hold this position is demanding and people having the required competences and experience are limited.
Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates.
Hence, one observes a strong demand for guaranteeing a minimum level of competences to the candidate DPOs.
Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered.
The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It encourages competition between them and raises a risk of a race to the bottom that could undermine the trust in this procedure.
The need for regulating the DPO certification stresses the necessary regulation of the other schemes established outside Article 42 regulation.
One does not find in the GDPR any restrictions preventing of regulating this type of schemes even though they are not recognized as means of accountability.
The authorities could mandate the European standardization bodies to design an harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1
It could offer the opportunity to set up a twofold regulation process for schemes entering into Article 42.1 scope and those not entering into this scope.
Original languageEnglish
PublisherSSRN
Pages1-25
Number of pages25
Publication statusPublished - 1 Apr 2018

Fingerprint

certification
data protection
regulation
candidacy
level of knowledge
accreditation
proliferation
shortage
experience
reform
responsibility
planning
human being
demand
market

Keywords

  • Certification
  • certification mechanisms
  • GDPR

Cite this

@techreport{bcfff19c28ef43ee98b847677528134e,
title = "DPO certification should be regulated",
abstract = "The Data Protection Officer (hereinafter DPO) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter GDPR) to hold this position is demanding and people having the required competences and experience are limited. Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates.Hence, one observes a strong demand for guaranteeing a minimum level of competences to the candidate DPOs.Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered.The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It encourages competition between them and raises a risk of a race to the bottom that could undermine the trust in this procedure.The need for regulating the DPO certification stresses the necessary regulation of the other schemes established outside Article 42 regulation.One does not find in the GDPR any restrictions preventing of regulating this type of schemes even though they are not recognized as means of accountability.The authorities could mandate the European standardization bodies to design an harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1It could offer the opportunity to set up a twofold regulation process for schemes entering into Article 42.1 scope and those not entering into this scope.",
keywords = "Certification, certification mechanisms, GDPR",
author = "Eric Lachaud",
year = "2018",
month = "4",
day = "1",
language = "English",
pages = "1--25",
publisher = "SSRN",
type = "WorkingPaper",
institution = "SSRN",

}

DPO certification should be regulated. / Lachaud, Eric.

SSRN, 2018. p. 1-25.

Research output: Working paperDiscussion paperOther research output

TY - UNPB

T1 - DPO certification should be regulated

AU - Lachaud, Eric

PY - 2018/4/1

Y1 - 2018/4/1

N2 - The Data Protection Officer (hereinafter DPO) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter GDPR) to hold this position is demanding and people having the required competences and experience are limited. Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates.Hence, one observes a strong demand for guaranteeing a minimum level of competences to the candidate DPOs.Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered.The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It encourages competition between them and raises a risk of a race to the bottom that could undermine the trust in this procedure.The need for regulating the DPO certification stresses the necessary regulation of the other schemes established outside Article 42 regulation.One does not find in the GDPR any restrictions preventing of regulating this type of schemes even though they are not recognized as means of accountability.The authorities could mandate the European standardization bodies to design an harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1It could offer the opportunity to set up a twofold regulation process for schemes entering into Article 42.1 scope and those not entering into this scope.

AB - The Data Protection Officer (hereinafter DPO) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter GDPR) to hold this position is demanding and people having the required competences and experience are limited. Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates.Hence, one observes a strong demand for guaranteeing a minimum level of competences to the candidate DPOs.Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered.The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It encourages competition between them and raises a risk of a race to the bottom that could undermine the trust in this procedure.The need for regulating the DPO certification stresses the necessary regulation of the other schemes established outside Article 42 regulation.One does not find in the GDPR any restrictions preventing of regulating this type of schemes even though they are not recognized as means of accountability.The authorities could mandate the European standardization bodies to design an harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1It could offer the opportunity to set up a twofold regulation process for schemes entering into Article 42.1 scope and those not entering into this scope.

KW - Certification

KW - certification mechanisms

KW - GDPR

M3 - Discussion paper

SP - 1

EP - 25

BT - DPO certification should be regulated

PB - SSRN

ER -