When considering the skills and competencies required by a data protection officer (DPO) to successful fulfil their role, an important source of information is schemes and guidance issued by the supervisory authorities. To date there have been schemes issued by the Spanish and French supervisory authorities and a comparison of the two schemes can be found at the attachment.
While the schemes cover similar subject matter and both use ISO 17024:2012 (Conformity Assessments), the Spanish scheme requires the DPO to be able to apply and implement a number of the skills rather than just identify them, as required by the French scheme. There is also a significant difference in the experience required for entry to the Spanish scheme, which is 5 years’ experience (although this can be offset by undertaking recognised training) compared to 2 years’ for the French scheme.
Consequently, when further comparing the schemes to the qualification frameworks that are used by the qualifications’ regulators (including the European Qualification Framework), the Spanish scheme is likely to be at a higher level of competences on the frameworks than the French scheme. This will be one of the topics discussed further in a future blog.
Additionally, the Spanish scheme has a code of ethics with nothing similar in the French scheme. This adds an interesting dimension to establishing the essential skills and competencies of a DPO as the personal attributes referred to (such as integrity, professionalism and impartiality) are going to be very difficult to assess for the purposes of establishing whether a person has a particular skillset, and also in terms of compliance.
Both schemes also recognise the need for continuous professional development, with both requiring renewal every 3 years.
Information about the two schemes are available from:
Spanish – https://www.aepd.es/reglamento/cumplimiento/common/scheme-aepd-dpd.pdf
Schemes will be added to the comparison as other supervisory authorities issue guidance as to the skills and competencies required by the DPO. The comparison will also be updated to include any rulings that specifically refer to the skills and competencies of the DPO.
Do you know if the ICO plans to produce a scheme, and if so, when we are likely to see it published?
Good question. The last time I was in contact with the ICO about the role of the DPO was in March 2019 and at that time they had no one working on the requirements for DPOs. I will update the blog if I get any update.