The job of Data Protection Officer, also known as DPO, is still relatively new, yet several training courses already exist. So how do you become a Data Protection Officer? Although the GDPR gives some indications on the function and missions of the DPO, what training is required to become a DPO?
Who can become a Data Protection Officer?
As a reminder, according to Article 37.5 of the GDPR, the Data Protection Officer must be appointed “based on his or her professional qualities and, in particular, his or her specialist knowledge of data protection law and practices, and his or her ability to carry out his or her duties.”.
With a cross-functional role in the company and varied missions, there is no standard profile for the DPO’s job, who can therefore be a lawyer, engineer, etc. A study carried out in 2015 by the CNIL showed that Data Protection Officers (former CILs) had a variety of professional profiles and expertise:
What training should I do to become a Data Protection Officer?
There is no specific training to become a Data Protection Officer either. Still, several training courses provided by various organizations do exist to train for the job of DPO:
Short training courses allow, in a few days, to grasp the main lines of the GDPR, such as the CNAM training
Engineering schools or universities generally offer long courses in the form of a University Diploma (DU)
Example: France – The CNIL certification mechanism :
The Data Protection Act, amended by the Act of 20 June 2018, gives the CNIL new powers in certifying individuals. Therefore, to identify the skills and know-how of the DPO, the CNIL has adopted two reference systems for the certification of DPOs.
The repository sets out, in particular, the conditions of admissibility of applications and the list of 17 competencies and skills expected to be certified as a DPO.
Nevertheless, before considering obtaining a DPO certification, the CNIL requires that the candidate meets one of these two experience conditions:
Proof of at least 2 years of professional experience in projects, activities, or tasks related to the tasks of the Data Protection Officer
Proof of at least 2 years of professional experience and at least 35 hours of training in data protection from a training organization
Reference framework setting out the criteria applicable to bodies wishing to be authorized by the CNIL to certify the skills of a DPO based on its reference framework.
Certification and CNIL standard: what are the differences?
However, it is necessary to differentiate between certification and training, which are two different things:
Certification is not compulsory to exercise the function of DPO ;
Conversely, it is optional to be designated as DPO to be a candidate for certification of DPO skills
The certification is a voluntary mechanism, allowing individuals to prove that they meet the requirements of competencies and know-how of the DPO provided by the GDPR. Thus, it is possible to follow a training course without undergoing certification. In concrete terms, certification is an added value in terms of confidence, both for the organization to which the DPO belongs and for its public, whether it be its clients, suppliers, partners, etc.