Looking for a Certified Data Protection Officer (DPO)? Look no further…

{Spoiler: There aren’t any}


What’s the advice from the regulator?

The ICO today tweeted a link to their ‘guidance on certification’ which you can find HERE. It’s unclear how new this publication is as the ICO do not date their website publications however, this is not a page I have seen before.

On this page the ICO states

“Currently there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates. Once the certification bodies have been accredited to issue GDPR certificates, you will find this information on ICO’s and UKAS’s websites”.

They also state they have…

“no plans to accredit any certification bodies or carry out certification”

Which is unfortunate. This means that there is no such thing as a ‘Certified DPO’ hence I recommend that businesses stop looking for them/look no further.

This begs the question, who are these individuals that claim to be ‘Certified DPOs’ and who are the companies that are looking for them? Claiming to be ‘Certified DPO’ potentially (ironically) shows a lack of understanding of current DP legislation. To my knowledge, the only country in Europe that has set up regulations for a data protection officer certificate schemes is Spain (AEPD) under the ISO17024 standard and their prerequisites just for getting to the assessment stage are quite robust. According to the IAPP they will need:

“at least five years’ professional experience working on data-protection-related activities and/or projects; at least three years’ experience on the same, plus at least 60 hours of recognized specialist training; at least two years’ experience plus at least 100 hours of training; or, in the case of zero experience, at least 180 hours of training.”

Companies looking for certified DPOs, I can only imagine, simply don’t understand the current legislation which puts them in a real catch-22 situation.

Certified DPO

So, what’s the solution?

Well, ideally, the ICO could follow the lead from the Spanish AEPD and approve some certification schemes or carry out some training themselves. An easier, less difficult step for them could be to define the term ‘certified’ and state the minimum requirements/list of qualifications that would qualify a DPO as ‘Certified’ (such as CIPP and CIPM) effectively leaving the certification in the hands of training providers.

In the meantime, businesses will need to sit down with their data protection advisors or privacy teams and discuss what they think is the minimum requirement they need for their DPO. Recital 97 of the GDPR states that:

“a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation”

and that

“The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor”.

The WP29 have also previously released an opinion on the requirements of a DPO stating:

“expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;

    understanding of the processing operations carried out;

    understanding of information technologies and data security;

    knowledge of the business sector and the organisation;

    ability to promote a data protection culture within the organisation.”

I would encourage individuals to stop claiming to be ‘Certified DPOs’ and I would encourage businesses to be cautious of anyone claiming to be a ‘Certified DPO’. After looking around at the current ‘Certified DPO’ courses on offer, they seem to be severely lacking with most lasting 5 days or less. One quite well-known provider delivers its ‘Certified DPO’ course in a single day, with no prerequisites and starts the day with “An introduction to data protection”. Is this the Certified DPO you’re looking for?


Some certifications/qualifications that you may wish to look for from your DPO could include:

Certified Information Privacy Professional (CIPP)

Certified Information Privacy Manager (CIPM)

Certified Information Privacy Technologist (CIPT)

BCS (formerly ISEB) Practitioner Certificate in Data Protection

You’re also likely to come across some more extensive courses and qualifications in the field of Data Protection such as the “Information Rights Law and Practice Postgraduate Certificate” delivered by Northumbria University.


In addition to these qualifications you should look for someone with real-life experience, who works on data protection full time. If you need help finding a resource then MapSterling can help, we have individuals ranging from a few years of experience to internationally renowned Data Protection Officers of multi-national companies. You can get in touch through our contact form HERE.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s