Instant expertise in the GDPR?

Would you engage a CFO who had only taken a one week accountancy course?

I was recently alerted to a four day ‘Certified EU General Data Protection Regulation Practitioner’ training course that’s described by its provider as equipping those who pass its 90 minute computer marked multiple choice exam to ‘successfully fulfil the role of the Data Protection Officer.’ Its only published prerequisite is a one-day ‘foundation’ course that includes its own one hour exam but which has no training or experience prerequisites itself. So from zero to certification this training offering consists of just five days of training minus two and a half hours of computer marked multiple choice testing. But it’s far from unique – similar courses are being advertised widely, and I bet they're creating a lot of revenue.

As a 20 year veteran of Data Protection and business risk consulting that horrifies me, particularly as such ‘certifications’ of one week’s training are already increasingly widely demanded by both recruiters and managers engaging consultancy services.

My first challenge to this course is that the GDPR makes no provision for certification of practitioners. The only certification provided for is of compliance for Data Controllers and Data Processors, and that derives from national initiatives which have not yet been implemented either in the UK or anywhere in Europe. But on further investigation, the ‘certification’ of the course turns out to be to ISO 17024 ‘Conformity assessment – General requirements for bodies operating certification of persons’ – an international standard covering the administration of, and processes adopted by, certification bodies and training providers. Where it touches on content at all it is only in terms of conformity between training and testing, not subject-specific adequacy for a particular real-world objective. Such certification thus has absolutely no bearing on the coverage, depth or quality of course content. Given the absence of any regulated certified status for Data Protection Officers under the GDPR and the applicability of ISO 17024, the only reasonable interpretation of ‘certified’ for the trainee is an assumption that passing a 90 minute pub quiz results in being handed a certificate. In terms of objective verification of competence to perform any business function at all, the value of this would seem questionable.

My second challenge is the extraordinary assertion in the promotional material for this course that a pass in the test equips one to act as a Data Protection Officer (DPO). So let's verify this. The GDPR is explicit about the role and duties of a DPO. In fact it allocates the whole of Section 4 to that alone, starting with Article 37(5): ‘The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.’ What stands out like the proverbial sore thumb here is ‘expert knowledge of data protection law’ – a level unlikely to be attained in five days training, however intensive the delivery.

Looking at Article 39(1) we find that a DPO must be able:

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

(d) to cooperate with the supervisory authority;

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

Article 35 describes the requirements for Data Protection impact assessments, on some aspects of which the GDPR is itself rather vague and partially self-contradictory, so Article 39(1)(c) is an obligation that will necessarily call on personal judgement.

Article 36 requires prior consultation with the supervisory authority – in the UK, the Information Commissioner (ICO) – where processing may be extensive, high risk or involve substantial sensitive data. Here again, uncertainty looms – the criteria for determining high risk and extensive are extremely vague, so again there will be a need to exercise personal judgement.

However, even ignoring these uncertainties and their concomitant requirement for robustly justified expert judgement, it’s clear that a DPO requires the ability to interpret law (and not just the GDPR but other laws in relation to it), diplomacy and negotiation skills of a high order (as was demonstrated by their absence in the Talk Talk debacle), and both business and technical understanding sufficient to guide the business and to both decide on the need for, and negotiate through to fulfilment, any prior consultation with the Information Commissioner. The DPO will also need professional skills in auditing and training (or at least in their management), and essentially although not explicitly specified in the regulation, a thorough familiarity with the business itself, its purposes and processes.

On top of all this, the DPO is expected to be the primary point of contact for data subjects with queries and grievances [Article 83(4)], and must therefore be able to deal effectively and diplomatically with public contact of all kinds – precise, muddled, valid, invalid, excessive, spurious, specious and malicious. And although the DPO can not be fired for performing the regulated function, he or she might well be liable for professional negligence, whether the outcome of a bad decision adversely were to affect the business, data subjects or third parties.

The reality is that DPO is not a role that an individual, however well trained, can safely undertake single handed, as the breadth of required expertise and talents is too great. To be effective, the nominated DPO will always find they either lead a team of specialists if the business is big enough, or alternatively manage a set of specialist outsourced services, many of which will rarely be called upon but will be needed urgently in emergency. In both cases, effective people management has to be added to the pile of talents, so all in all we're not talking here about folks who have just come in off the street and studied – however intently – for five days.

Furthermore, Article 38(3) includes the statement ‘The data protection officer shall directly report to the highest management level of the controller or the processor.’ The DPO is thus essentially a member of the ‘C suite’ – responsible to the ICO, data subjects and the Executive of the business, and making decisions on the basis of his or her personal judgement that have potentially huge and far reaching implications.

It will be years before the courts have created enough precedent to clarify the vast number of issues the GDPR throws up. In the meantime, not only has the DPO the duty to protect the organisation's data subjects from harm and infringement of their rights and freedoms, but also the tacit obligation to minimise the chance of the organisation that employs them becoming the subject of one of the legal precedents. At the same time the DPO’s guidance must as far as possible minimise any inhibiting effects implementing the regulations has on the legitimate conduct of the business.

So my third challenge is that whatever the quality and depth of a training course, multiple choice testing is fundamentally inappropriate for validating the skills and talents required to manage the complexities of keeping a business compliant with the GDPR. To verify the expertise required to balance all the potentially conflicting obligations, what needs to be tested is the analytical ability to work out what the questions are, not just the memory retention to identify which of the presented answers best accords with what you have just been told. Multiple choice tests are intrinsically unable to fulfil this essential requirement. They are realistically no better than the approach adopted by the 19th century National Schools, where accurate regurgitation of long rote learned passages of text was considered to demonstrate knowledge. In fact they're worse – we now merely expect the trainee to identify which of the short phrases in front of them is closest to what they can retain in memory for a week.

The bottom line is that, even leaving aside any suggestion of misrepresented attainment levels, short courses and ‘certifications’ of this kind really certify nothing worth certifying. We must demand training courses and testing methods that provide an objectively adequate demonstration of capacity to deliver what employers and clients actually need – as a minimum, sufficient understanding and informed judgment to protect the business and its data subjects reliably from harm. Delivering this kind of training will inevitably be more expensive than what is currently on offer, but the aggregate cost to the business community and the public at large of continuing in the current vein is pretty certain to be vastly greater.

Mike Barwise
Director, BiR