DPOcert – an accredited personal certification for data protection officers
The Data Protection Foundation and the BvD have jointly developed an accredited certification for data protection officers in Germany. Both data protection officers who need transparent proof of their expertise and companies looking for a qualified data protection officer can benefit from this. The certification will be launched in 2025.
It is sometimes difficult for data protection officers to provide adequate proof of their expertise in Germany. This is somewhat surprising: on the one hand, Germany has the largest market for training and qualification opportunities in a member state of the European Union. On the other hand, however, this market has not yet produced any standardized proof of suitability for data protection officers. As a result, there are many different ways of proving professional competence as part of suitability in Germany. Training providers participating in the training market often test themselves according to their own considerations without any coordination with suitable interest groups. The quality criteria are not disclosed in any way. The examinations are sometimes geared more towards the training courses’ own canon of content than towards the needs of the profession. The requirements for data protection officers are also subject to noticeable change, which is also not understood.
For many other professions, on the other hand, there are recognized certifications that provide transparent evidence. International standards provide the essential basis for this. The ISO 17024 standard sets internationally recognized requirements for personal certifications. In Germany, however, this standard has not yet been implemented with a recognized program for the certification of data protection officers. The result is the wide variety of “certificates” mentioned above, the quality of which cannot be independently verified.
There is an unmanageable variety of proprietary certificates from individual institutes. This is initially a problem for those who are looking for an opportunity to be trained. How can you recognize providers who have not only built up their expertise at the end of a comprehensive training course, but can also prove it? Furthermore, the variety of courses on offer makes it difficult for organizations looking for data protection officers to assess the quality of a certification.
The French supervisory authority CNIL and the Spanish supervisory authority AEPD have shown the way: with a coordinated “conformity assessment program” in accordance with ISO 17024, which defines the requirements for data protection officers in line with standards, training providers can prepare for examinations that are then carried out by independent bodies in line with standards. The content of these examinations is derived from data protection legislation and practical experience. An important basic document is WP-243 of the European Data Protection Board (formerly Art. 29 WP) on the requirements for data protection officers. Professional associations from the respective countries were consulted by the supervisory authorities for these certifications. These programs are now publicly available as a standard (in French and Spanish) and bodies wishing to work with them can obtain accreditation for training and certification. For companies and data protection officers alike, it is therefore clear that certification in accordance with this standard provides proof of basic expertise to the supervisory authorities.
In France and Spain, the provision of such certifications is one of the statutory tasks of the data protection supervisory authorities. This is not directly formulated as a mandate in Germany. However, such certification based on these French and Spanish models is also desirable for Germany and other EU member states due to the situation mentioned above. The BvD’s Professional Profile Committee has therefore been working on the DPOcert program since 2019. The Data Protection Foundation is now a partner. The first drafts of the program have been available since 2020 and have been undergoing a program review by the German Accreditation Body (DakkS) since mid-2021, which is expected to be completed shortly.
Organizational structure
The standard-compliant design of such programs (conformity assessment programs) provides for various roles whose independence in principle guarantees overall quality. In Germany, recognized certification procedures must be accredited by the DAkkS, the German accreditation body. On the one hand, this applies to a program that sets out the requirements and processes in accordance with the ISO 17024 standard. The accreditation body also accredits certification bodies that must implement standard-compliant and program-compliant testing procedures.
Certifiers or certification institutions carry out checks in line with the requirements defined in a program.
In principle, all certification institutions generally accredited for the ISO 17024 standard for personal certification can be considered as certifiers. The DPOcert program describes the requirements objectively so that an independent examination is possible. The requirements for training providers are not quite as high as for certifiers: access to detailed information and the possibility of training in accordance with DPOcert requires licensing, but this does not create any significant hurdles. DPOcert is designed to be open: participation is open to training institutes as well as certifiers. The program owners agree that dissemination should not be hindered by licensing costs. The Data Protection Foundation and the BvD have an interest in the standard that is anchored in their statutes. However, the subsequent running costs should be self-supporting.
The programme is not static: the programme owners Stiftung Datenschutz and the BvD organize a programme committee in which representatives of the roles involved update the requirements of the certification programme. Training service providers and certifiers contribute their experience here and the program is jointly adapted to changing requirements.
DPOcert requirements
As with the programs of the French and Spanish data protection supervisory authorities, DPOcert initially focuses on basic and fundamental knowledge. Skills and competencies are then supplemented through practical application.
DPOcert takes into account the three areas of competence that are already addressed in the job description for data protection officers. As expected, legal data protection knowledge is an essential building block. The knowledge in this area must be application-specific, so it is also about the translation of legal requirements for practical application. Another relevant area is information technology. The general functionality as well as information security must be understood. The third area is the technical side. Data protection advice must be specific to the technical content. The program is primarily concerned with data protection in standard company processes. Proof of knowledge in these three pillars is not only provided by means of a final examination, but also by demonstrating the corresponding prerequisites. More specific requirements are therefore demanded for admission to the examination. These are based on the requirements of the profession, which in turn must relate to standards (European Qualifications Framework). The basis is initially the general level of education. A completed degree in a thematically fundamental subject area is the basic standard. Other suitable educational backgrounds can be included in the future. In addition, requirements are placed on general and data protection-specific professional experience.
Several years of professional experience, also related to data protection, is certainly crucial for the development of skills. Finally, a special qualification as a data protection officer of at least 30 hours is required. It should be clear that this is more of a lower time limit. There are currently qualifications available on the market that provide more in-depth training in considerably more time, also with a view to certification. Guidance for this requirement in DPOcert was provided by the corresponding requirement of the French supervisory authority.
The certification is completed with a 180-minute examination covering all areas of competence.
Recertification for DPOcert takes place after three years: Firstly, professional experience in the field of data protection must be demonstrated. Secondly, proof of up-to-date knowledge must be provided through training certificates.
What happens next
Accreditation by the DAkkS is expected shortly. The program will then be publicly available. Certifiers in particular will then be informed of the current status and can begin to set up the corresponding testing processes. We expect that offers for certification will be available on the market within a few months of accreditation and that the first certifications can be carried out.
Conclusion
The Data Protection Foundation and the BvD have jointly set out to develop an accredited personal certification for data protection officers in Germany. This is open to both trainers and certifiers. The market for training programmes in Germany is currently very confusing. Both data protection officers who need transparent proof of their expertise and companies looking for a qualified data protection officer can benefit from such recognised certification. The certification can start in 2025 and will hopefully spread quickly and provide orientation for the various market participants in the data protection qualification market.
