Prove your Expertise in Data Protection

To ensure security breaches are effectively avoided, organisations need to have strong security practices and policies. Robust data protection practices and policies can also ensure potential lawsuits and regulatory investigations related to data security are effectively avoided. 

One of the certification programs on information privacy that’s acknowledged around the world is the CIPP certification. The Certified Information Privacy Professional (CIPP) helps professionals bolster risk mitigation practices as well as compliance. It is also designed for the “go-to person for privacy laws, frameworks, and regulation.”

People who get the CIPP certification are not limited to security professionals with IT backgrounds. It also involves individuals from the legal, governance, or management teams. Apart from getting the right data protection certifications, you can also provide proof of your data protection expertise by exhibiting the following key characteristics:

Experience in security risk assessment and privacy

The General Data Protection Regulation (GDPR) requires that Data Protection Officers (DPOs) “have due regard to the risk associated with processing operations.” This also highlights some of GDPR’s risk-based provisions such as the requirement to implement “appropriate organisational and technical measures” to maintain security of processing and demonstrate compliance. 

In both scenarios, the GDPR indicates that appropriate measures should take into consideration the scope, context, purposes, and nature of processing as well as the risks to data subjects. This obligation will also likely require DPOs to give guidance on DPIAs, risk assessments, and best practices that can mitigate risks.

Knowledge of data protection practices and laws 

The GDPR also requires that the DPO is someone with “expert knowledge of data protection laws and practices.” A DPO should be very familiar not just with the GDPR and its application in practice but also other relevant data protection practices and laws. This also includes overseas data protection laws in countries where the organisation has a presence.

Ability to work independently

DPOs should not have any conflicts of interest and should be able to perform their tasks and duties in an independent manner. In other words, a DPO should be able to carry out their duties according to how they see fit, with no influence from other people within the organisation or the board of directors. This also necessitates a level of independence, seniority, and the ability to assert themselves.

The DPO is also allowed to carry out functions within the organisation but cannot perform roles that conflict with the role of their role as DPOs such as identifying the purposes and means of data processing. 

One example of this is when an Information Systems manager scans everyone’s email for data loss prevention purposes.

From the GDPR perspective, a DPO may consider this inappropriate. If the roles of the Information Systems manager and the DPO are combined into a single role, there is an obvious conflict. DPOs need to be completely within their roles. 

DPOs are also bound by confidentiality/secrecy considerations when it comes to the performance of their task, in accordance with the laws that are applicable.

Ability to communicate effectively

Under Article 39.1, the DPO is required to cooperate with the supervisory authority and at the same time, act as the point of contact for the supervisory authority on issues that relate to processing. Therefore, the DPO must be able to communicate with regulatory authorities effectively.

A DPO that covers multiple jurisdictions might not be able to speak the language of each supervisory authority it deals with. In similar cases, the DPO should at least speak the language of the main market. Additionally, the DPO should speak the language of the data subjects so they can handle their complaints and requests effectively.