Gearing up for GDPR certification: Only a few good options
On May 25, 2018, the European Union’s General Data Protection Regulation went into full effect. You undoubtedly were made aware of this because of the hundreds of emails you received, disclosing new or revised privacy policies.
If you work in IT, you’ve been made painfully aware of the new regulations. The question is, how do you know that your staff actually knows how to comply with the rules and aren't just ticking off checkboxes? Or, at a personal level, how can one job applicant prove they know more about corporate compliance (with GDPR, HIPAA, or other regulations) than another security and compliance job seeker?
Quite often, organizations turn to technology or business certifications as an assurance that its personnel know a topic broadly and/or in-depth—or at least have been exposed to all the important issues involved. But because we’re in the early days of the GDPR era, the current situation is something of a wild frontier.
While lots of GDPR training options are available, there aren’t that many out-and-out GDPR certifications per se. In a recent blog post, "There Is No Such Thing as GDPR Certification… Yet!" security analyst David Froud rails against the “gold rush” mentality that characterizes early entrants into new market niches.
Conventional metrics are tricky for GDPR. Reputation, cachet, perceived value, and prestige all require time to accumulate, for both individuals and certifications. As a result, making a firm recommendation is problematic. That’s why I have difficulty assessing the value and worth (or lack thereof) for many offerings that purport to train people on GDPR and then to certify them. In the end, you have to decide for yourself. The longer you can wait, the more data will become available to help you make a well-informed decision.
That said, let’s take a look at current options, before I step back and look at the larger issues.
The International Association of Privacy Professionals (IAPP)
Right now, as far as I can tell, the IAPP is the only organization that qualifies as a full-fledged and entirely reputable purveyor of certifications that incorporate GDPR skills and knowledge in its various credentials (and the curricula and exams that support them). The IAPP is a vendor- and policy-neutral organization that’s been around since 2000, billing itself as “the world’s largest global information privacy community.”
The IAPP is helmed by a six-member executive committee, five of whom hold IAPP credentials themselves. Its advisory board has representation from all global geographical regions, with senior privacy officers, attorneys, and consultants from companies large and small, academia, industry, and the research community. The certified population across IAPP is in the thousands; the program has enough duration and reputation to make it worth considering in general (because presumably privacy already mattered to your organization) and for adding GDPR skills and knowledge in particular. And finally, most of IAPP’s certifications are accredited under ANSI/ISO/IEC 17024.
While the IAPP certifications are supported with a training curriculum, the IAPP does not require training before you can take its certification exams. Ample self-study options are available. The IAPP offers an active, vigorous community to its members and certified population, with information and conferences for exam preparation, study groups, and continuing education.
Certified Information Privacy Professional (CIPP)
The CIPP is for IT and other professionals whose responsibility involves data privacy and protection along with legal and compliance matters, plus information management, data governance, and human resources.
However, privacy is as much a matter of understanding governing laws and regulations as it is a matter of information technology—particularly data security and protection. As a result, the CIPP comes in a variety of “regional” versions: Asia, Canada, Europe, U.S. government, and U.S. private sector. Right now, the CIPP/E offers the most focused and intense coverage of GDPR, but this material will perforce make its way into the other CIPP flavors in the next 18 months or so. As a result, if you want a quick boot-up into GDPR skills and knowledge, consider the CIPP/E first and foremost. This credential targets those involved in governance and privacy program operation.
Exam fees vary by location. All IAPP exams cost the same in the United States: $550 for a first-time exam and $375 for a retake of the same exam. Individuals who hold an IAPP certification qualify for the $375 charge for any subsequent (additional) IAPP certification exams they might take (and U.S. test takers can take CIPP exams for any or all of the “flavors” on offer). IAPP certification holders must either pay an annual membership fee to belong to the IAPP or pay an annual certification fee of $125 to maintain their certifications (and meet continuing education or recertification requirements in keeping with the ANSI/ISO/IEC 17024 standard).
Certified Information Privacy Manager (CIPM)
The CIPM targets people responsible for managing information privacy programs. It stresses both knowledge of privacy law and regulations and how to translate that knowledge into workable practices, policies, and procedures for organizations to adopt and employ day to day. The curriculum covers topics that include creating a company (or organizational) vision for privacy and data protection, building and structuring a privacy team, developing and implementing a privacy program framework, communicating with stakeholders, measuring performance, and understanding the operational lifecycle for privacy programs. The same exam fees and fee structure apply to the CIPM as to the CIPP, and charges vary by location (and currency).
Certified Information Privacy Technologist (CIPT)
The CIPT is for the people who implement the technical controls and components that go into a privacy program. This credential is the most likely starting point for IT professionals interested in working with data privacy and protection. It would be best coupled with the CIPP/E for those interested in coming fully up to speed on GDPR.
The CIPT seeks to ensure data privacy at stages of IT product and service lifecycles, including design, development, deployment, maintenance, and retirement/replacement. Candidates are expected to understand privacy concepts and practices as they affect IT operations, consumer expectations for privacy, and concomitant responsibilities. They must also know how to design privacy into early-stage IT product and service development; establish privacy practices for data collection and transfer; manage privacy for the Internet of Things (IoT); factor privacy into data classification and emerging technologies including cloud computing, biometrics, and surveillance; and finally, communicate privacy issues to an organization’s management, development, marketing, legal, and operations functions. The same exam fees and fee structure apply to the CIPT as to the CIPP.
Other GDPR certification players
At present, three other organizations offer GDPR training and certification, none of whose GDPR offerings have definitively been accredited to meet the ISO/IEC 17024 standard. You can judge these offerings for yourself by visiting their sponsors’ websites and reading several articles published here:
- ITGovernanceUSA.com has for-profit offerings from the “leading global provider of IT governance, risk management, and compliance solutions.” Training required.
- The EU GDPR Institute is a think tank that focuses on training and certification for individuals, professionals, and companies, offering GDPR certification and Data Privacy Officer (DPO) certs. Training required.
- The International Board for IT Governance Qualification (IBITGQ) is an international organization that has been certifying IT professionals since 2011, boasting a certified population of 2,139 professionals. (An individual breakdown across 10 certs is not available, though half a dozen non-GDPR items account for 1,700-plus such items.) IBITGQ offers two EU GDPR certifications: the EU GDPR Foundation (EU GDPR F) and the EU GDPR Practitioner (EU GDPR P). While the organization claims 17,024 compliance certifications, whether those GDPR certs meet the criteria is unclear and training is required to become certified.
The (job board) numbers do not lie
There are several reasons to get certified, not the least of which is to acknowledge (at least to yourself) that you really have become proficient in a given knowledge domain. Many people are motivated to get a certification in pursuit of a better job, which might mean a raise or promotion. As such, it makes sense to evaluate whether the GDPR certifications make a difference to hiring organizations.
The only credentials that register on a job board analysis wherein more than 100 jobs listings call for a privacy credential are those from the IAPP. Of the others, only the EU GDPR DPO had a non-zero value (36, to be specific). To compile these numbers, I scraped screens from these job posting sites on a given day: SimplyHired, Indeed, LinkedIn, and LinkUp.
Across all those sites, U.S. job listings asked for these IAPP certifications:
- CIPP (all flavors): 3,059
- CIPM: 749
- CIPT: 783
Readers can determine for themselves the perceived value of a credential that accrues no mention in job postings.
What makes for real quality in certification?
A certification can help you get a job or a raise—but only if it has credibility. Plenty of organizations are eager to offer GDPR training and certification to help with its compliance regime.
Before you plunk down cash or spend your time and energy on such offerings, let me make a few observations. I’ve been writing about certification programs since the mid-1990s; I have been involved in them since the late 1980s, including a brief stint as a training developer for what would become Novell’s “Introduction to Local Area Networks” fundamentals course in its pioneering certification program.
Many certifications (in GDPR and elsewhere) are thinly disguised programs to sign people up for online or classroom training—sometimes at fairly high costs. The organization concludes said training with an exam, slaps a certification label on the works, and expects paying customers to flock to its doors. These offerings claim to deliver sufficient knowledge and skills transfers to training attendees such that the graduates can go out and begin taking advantage of what they’ve learned after one to three days of training. Good luck with that.
Here are the metrics I use when pondering an IT certification’s efficacy and career-enhancing potential:
Certification methodology: Building worthwhile certifications and the exams that support them is an expensive undertaking. It begins with responding to clearly articulated needs for specific bodies of knowledge, skills, and expertise for use in the workplace. This proceeds to an extensive and lengthy job task analysis, wherein practicing professionals in the field are interviewed to determine the kinds of skills and knowledge they possess and use in plying their trade.
A formal set of exam objectives is articulated around the body of knowledge that the job task analysis flushes out. Those objectives become the focus for developing curriculum to teach the necessary skills and knowledge, and for questions to probe individual certification candidates’ knowledge and understanding of such things. Questions are subjected to extensive alpha and beta testing and psychometric analysis, so that only questions that actually distinguish those who really know and understand the material from those who do not make it into the final, approved versions of the exams offered to the public for certification testing.
Certification standards compliance: The most serious certification sponsors adhere to ISO/IEC standard 17024: "General requirements for bodies operating certification schemes for persons." This process takes one to two years to complete and comes with a variety of requirements for certification rigor, continuing education and recertification regimes, and more. Compliant certifications usually have the highest perceived value and impact on their holders in terms of cachet, recognition, and career enhancement.
Program sponsor reputation and recognition: Major certification program sponsors tend to fall into two large categories:
- First, there are top-tier industry associations or societies devoted to serving professional communities focused around specific markets, technologies, or skillsets. In IT, this includes widely recognized bodies such as CompTIA, ISC², and ISACA, to name just a few leading lights.
- Second, major commercial ventures offer tools, technologies, and platforms to a global customer base. They see certification as a tool to help manage and distribute support costs for their offerings. The 800-pound gorillas of this part of the certification world include companies such as Microsoft, Cisco, and Dell/EMC/VMware, to pick another noteworthy triumvirate.
All of these organizations, not surprisingly, practice serious and defensible certification methodologies, and offer 17024-compliant certification credentials to their employees, partners, customers, and other interested parties.
Perceived and reported value, prestige, and popularity: The most valuable IT certifications are the ones that everybody knows about, recognizes, and values. They show up regularly and repeatedly in lists of most valued, most popular, and highest paying certifications. They are often regarded as fiendishly difficult but incredibly worthwhile. Credentials like the Cisco Certified Internetwork Expert (CCIE), Certified Information Systems Security Professional (CISSP), and SANS GIAC Security Expert (GSE) are excellent examples. Program name recognition, size of certified population, and duration are also important factors to consider. Also worth pondering is the size and vigor of the aftermarket for certifications, which includes the availability of self-study materials, practice tests, simulators, or online training environments, as well as active user communities involved with study groups, Q&A sites, and so forth.
GDPR obviously is in its earliest days. Those interested in learning about GDPR should do their homework and look for third-party ratings, rankings, testimonials, or “war stories” from prior attendees to leaven the claims that training providers often make in breathless prose about the quality and high value of their wares. Caveat emptor is never as important anywhere as it is on the wild frontier, where real measures of quality, reputation, and track record can be hard to discern and harder still to verify and validate.
Where the GDPR market is going
The rush to train and certify GDPR-savvy managers and professionals is really just getting started. I expect that ISC² and ISACA, both of which already have a strong presence in the security and governance spaces, will probably field offerings in the next 12 to 18 months, though no official word on such introductions is available or forthcoming.
There will undoubtedly be a lot more action in the GDPR arena in the next year or two. But right now, the only real game in GDPR-related certification appears to come from the IAPP.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.