By | Sunday January 22nd, 2017

Following the complex mapping of Controller’s certification provided for by GDPR, we proceed investigating the certification of persons.

From a normative point of view this topic proves very simple: THE CERTIFICATION OF PERSONS IS NOT PROVIDED or more precisely: IS NOT REQUIRED. Hence GDPR does not provide for nor require certified professional roles, not even for the most innovative role introduced, the DPO.

Why is it there such an emphasis and prolific growth of certifications concerning this professional role and other professional roles related to privacy?

A normative incentive is actually present.

As reaffirmed by WP29 in the recent DPO guidelines, the Controller will have to indicate its choices concerning DPO’s role, especially in those instances where decided that such role is not compulsory within the organization.

But how will the Controllers who repute such role as compulsory prove they chose the right person? That is the person holding all requisites prescribed by law and better stated by WP29 for this role.

Probably, apart from those more qualified Controllers, others will have greater difficulty evaluating those who might hold this task. A bigger issue will be present for public entities, as these entities must have a DPO.

Here the certifications might have a role; THE CERTIFICATIONS though, in their wider meaning.

Not only those concerning professional privacy figures, but also certifications in safety and audit settings.

A subject that has different certifications in different settings is even better.

It is although clear that a Controller may without any issues designate a subject without any certification as DPO, as this is not required by GDPR, as long as he/she is holding the characteristics provided for by law.

Certifications must then be evaluated for what they are; a significant element which must be summed up with other features that qualify a person.

Moreover, it is obvious that certifications are not to be considered as exhaustive; they may not assure an essential component, often forgotten, of the requisites provided for by GDPR:

Knowledge of the business sector and of the organization of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.

Thus if you want to be the DPO in a bank you must have some years of experience in a bank, the same goes with other sectors.



Over the last years, certifications of privacy professionals have become available on the Italian market; these certifications are issued in accordance with UNI CEI EN ISO/IEC 17024, a normative that certifies professional competences.

The certification schemes are generally based on:

  • Evaluation of the candidate’s requisites:
    • Qualifications
    • Work experiences in the field.
    • Attendance of a course with final exam
  • Certification exam carried out by an accredited organization enabled to issue valid certifications.

The list of certified subjects is normally available at the certificatory entity’s website.

The Italian Accreditation Entity may not accredit these certification schemes, since they are based on voluntary schemes that are not regulated by any normative.

The initiative of UNINFO/UNI seems like a viable accreditation scheme, as it will make available, supposedly soon, in a final public inquiry, the certification schemes for privacy professionals.

The main difference between these certification schemes and the former ones is founded on the possibility of accreditation, which will result in a qualifying factor.



PROFESSIONAL REGISTERS are further components that may enable evaluation of privacy professionals, as provided for by Law 4/2013. The list of professional associations that are not organized in orders can be found on the Italian Ministry of Economy’s website.

There may also be found professional associations working in the privacy field that issue certificates of quality-service for associates willing to register in professional registers; the professional association subsequently monitors the upkeep of quality levels.



A Controller has full and total autonomy of choice, in accordance to normative requisites, when designating DPO. Then, a question is posed concerning the real requisites needed for a certification/certification scheme to comply with GDPR, and who may issue it.



Certification of professional figures:

Category: Codes of conduct and certification

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.