The job of Data Protection Officer, also known as DPO, is still relatively new, yet several training courses already exist. So how do you become a Data Protection Officer? Although the GDPR gives some indications on the function and missions of the DPO, what training is required to become a DPO?
Who can become a Data Protection Officer?
As a reminder, according to Article 37.5 of the GDPR, the Data Protection Officer must be appointed “on the basis of his or her professional qualities and, in particular, his or her specialist knowledge of data protection law and practices, and his or her ability to carry out his or her duties”.
With a cross-functional role in the company and varied missions, to date there is no standard profile for the DPO’s job, who can therefore be a lawyer, engineer, etc. A study carried out in 2015 by the CNIL showed that Data Protection Officers (former CILs) had a variety of professional profiles and expertise:
What training should I do to become a Data Protection Officer?
At present, there is no specific training to become a Data Protection Officer either, but several training courses provided by various organisations do exist to train for the job of DPO:
Short training courses that allow, in a few days, to grasp the main lines of the GDPR, such as the CNAM training. Some of these can be financed via the CPF (formerly DIF).
Long courses, generally offered by engineering schools or universities in the form of a University Diploma (DU).
Example : France – The CNIL certification mechanism :
The Data Protection Act, amended by the Act of 20 June 2018, gives the CNIL new powers in terms of certifying individuals. Therefore, in order to identify the skills and know-how of the DPO, the CNIL has adopted two reference systems for the certification of DPOs
The repository sets out in particular the conditions of admissibility of applications and the list of 17 competences and skills expected to be certified as a DPO.
Nevertheless, before considering obtaining a DPO certification, the CNIL requires that the candidate meets one of these two experience conditions:
Proof of at least 2 years’ professional experience in projects, activities or tasks related to the tasks of the Data Protection Officer;
Proof of at least 2 years’ professional experience and at least 35 hours’ training in data protection from a training organisation (e.g. AFNOR)
Reference framework setting out the criteria applicable to bodies wishing to be authorised by the CNIL to certify the skills of a DPO on the basis of its reference framework. For example, AFNOR CERTIFICATION has been granted approval of the CNIL reference framework for a period of 5 years from 4 July 2019.
Certification and CNIL standard: what are the differences?
However, it is necessary to differentiate between certification and training, which are two different things:
Certification is not compulsory to exercise the function of DPO ;
Conversely, it is not necessary to be designated as DPO to be a candidate for certification of DPO skills.
The certification is a voluntary mechanism, allowing individuals to prove that they meet the requirements of competences and know-how of the DPO provided by the GDPR. Thus, it is quite possible to follow a training course without undergoing certification. In concrete terms, certification is an added value, in terms of confidence both for the organisation to which the DPO belongs and for its public, whether it be its clients, suppliers, partners, etc.