DPO Certification Should be Regulated

25 Pages Posted: 13 Jun 2018 Last revised: 8 Jul 2019

See all articles by Eric Lachaud

Eric Lachaud

Tilburg University - LTMS, home of Tilt and Tilec

Date Written: May 10, 2018


The Data Protection Officer (hereinafter “DPO”) is a key figure person of the general data protection reform. The profile required in the General Data Protection Regulation (hereinafter “GDPR”) to hold this position is demanding and people having the required competencies and experience are limited. Many companies, especially SMEs, required or simply planning to hire a DPO before May 2018 are a little lost and, sometimes, misled by opportunists leveraging the shortage of suitable candidates. A strong demand for guaranteeing a minimum level of competences to the candidate DPOs is being observed. Many schemes offering to certify a minimum level of knowledge have popped up in the Member States. However, the DPO certification market remains very fragmented and presents many inconsistencies regarding the content and process offered. The experience of certification in other activities has demonstrated that the proliferation of unregulated certification schemes creates inconsistencies in the schemes’ content. It also encourages competition between them and raises a risk of a race to the bottom that could undermine trust in this procedure. The GDPR does not provide for any restrictions preventing of regulating the schemes established outside Article 42 even though they are not recognized as possible means to instill accountability. The authorities could mandate the European standardization bodies to design a harmonized DPO standard within the implementation acts and include the accreditation of private certification bodies in the process specified in Article 43.1 of the GDPR. The solution envisioned could offer the opportunity to set up a twofold regulation process for data protection certification, one dedicated to the schemes falling within the scope of Article 42.1 scope and another one for those not falling within this scope.

Keywords: Data Protection Officer, DPO, Certification, GDPR, Conformity assurance, Co-regulation, Self-regulation

Suggested Citation

Lachaud, Eric, DPO Certification Should be Regulated (May 10, 2018). Available at SSRN: https://ssrn.com/abstract=3176471 or http://dx.doi.org/10.2139/ssrn.3176471

Eric Lachaud (Contact Author)

Tilburg University - LTMS, home of Tilt and Tilec ( email )


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics