Sunday, October 15, 2017

The Data Protection Officer Shall Be Designated On The Basis Of Professional Qualities

With respect to the DPO, the GDPR states that, "The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39." GDPR Article 37, Paragraph 5. 

And that, "The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge." GDPR Article 38, Paragraph 2.

Knowledgeable advice and directions is given by attorneys specializing in privacy, consultants and IT professionals with years of practical experience. To assist their efforts, dozens of new software applications are being introduced in the market offering customized GDPR solutions.

A short list of organizations offering programs and certifications relevant to GDPR, would include the IAPP, ISACA, ((ISC)2) and the EU GDPR Institute.

The International Association of Privacy Professionals (IAPP) was formed in 2000 and reports to be the world’s largest information privacy organization. The IAPP offers the CIPP, CIPM and CIPT certification programs specifically designed for professionals who manage, handle and access data. The IAPP also awards the FIP designation.

CIPP - Certified Information Privacy Professional, is the "what" , showing an understanding of the laws, regulations and standards of privacy in a specific jurisdiction or discipline. Further, CIPP offers five concentrations, each focused on a specific region or sector; Asia (CIPP/A), Canada (CIPP/C), Europe (CIPP/E), U.S. Government (CIPP/G), U.S. private-sector (CIPP/US).

CIPM - Certified Information Privacy Manager, is the "how" of operations,  showing and understanding of how to use process and technology to manage privacy in an organization—regardless of the industry or jurisdiction.

CIPT - Certified Information Privacy Technologist, is the "how" of technology, showing an understanding of how to manage and build privacy requirements and controls into technology.

FIP - Fellow of Information Privacy - demonstrates a comprehensive knowledge of privacy laws, privacy program management and essential data protection practices, after completing two IAPP credentials.

The Information Systems Audit and Control Association, now known by its acronym ISACA, has been in existence for almost 50 years, boasting of 140,000 in 170 countries. ISACA offers the CISA, CRISC, CISM and CGEIT  certifications.

CISA - Certified Information Systems Auditor - which demonstrates audit experience, skills and knowledge, and being capable to assess vulnerabilities, report on compliance and institute controls within the enterprise.

CISM - Certified Information Security Manager - this management-focused certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security.

CRISC - Certified in Risk and Information Systems Control -  enables IT professionals for the unique challenges of  IT and enterprise risk management, and positions them to become strategic partners to the enterprise.

The International Information System Security Certification Consortium, known as ((ISC)2), offers a number of different certifications, with the Certified Information Systems Security Professional (CISSP) being one of the most prominent. The CISSP recognizes information security leaders who have the knowledge and experience to design, develop, and manage the overall security structure in organization.

Another organization which recently emerged is the EU GDPR Institute. The EU GDPR Institute offers a GDPR Certification and a DPO Certification. Their function is focused on the GDPR regulations and helps organizations to comply in this new era of privacy.  The EU GDPR Institute code-of-conduct (certification mechanism) provides a platform for data controllers and processors to ensure a structured and efficient means for GDPR compliance.