In this article, I’d like to tackle the thorny issue of GDPR certification.
Let’s start by laying the bald facts on the table – there’s no such thing as “official certification” for the GDPR. The Information Commissioner’s Office haven’t set out an official curriculum, paths to certification or accreditation programmes and nor have the European Commission.
Nor, in my (long!) searches have I come across anything that I’d describe as “independent” certification.
There are lots of training companies out there (us included – more of which shortly) who offer GDPR Foundation and Practitioner certification, but these courses are, in my experience, ALL simply certified, whether directly or indirectly, by the company offering the training.
There are those companies where this is clear – as in our case, I hope – and those where it’s perhaps less so.
As just one example, one of the biggest providers of GDPR training says on their website “Delegates take the EU GDPR F examination at the end of the course – a […] ISO 17024-certified exam set by IBITGQ.”
To quote from the website Froud on Fraud: “While there is absolutely nothing wrong with either ISO 17024 standard or the IBITGQ, when applied appropriately, they have absolutely nothing to do with GDPR certification.” Furthermore, one might question how a company can be from its examining body when that company co-founded that same examining body!
Now, don’t get me wrong – I’m not doubting the quality of the training provided by any particular training company. My point is that there really is no such thing as “official” certification, and quite possibly no such thing as “independent” certification either.
Which, of course, begs the question, why do we too offer “certified GDPR training”?
The short answer is that there’s evidently a demand for people to learn what the GDPR means, and how they can best start to ensure that their organisation operates within the law when it comes in. And given that people are paying to sit in a classroom for anything from several hours to several days to get this information (depending on the depth of information they’re seeking), it’s not unreasonable to ask for some proof that they’ve done this, in the form of a certificate.
We could (and do, for our shorter courses) offer a simple “certificate of attendance”, but we, also offer the “certified courses”.
Our GDPR “Foundation” or “Foundation and Practitioner” certification says a little more than “you attended”. It’s proof that you’ve attended, listened, learned and were able to demonstrate an understanding of the course, and so were able to pass an examination (which is, in our case, designed to be a proper test of understanding, not just a “mickey mouse” exam) .
Yes, we created the exam. Yes, it reflects those elements which we elected to put into the course (we don’t cover all half-million words of the GDPR in the courses, so there are bound to be choices made about what we cover and what we don’t). And yes, we mark it – and have put procedures in place to ensure that the marking is fair and anonymous.
We are confident that our courses are at least as good as those offered by anyone else. And we think that our exam has a value. But we don’t claim – and nor should anyone – that it’s an official, certified certification programme that’s in any way “approved” or “validated” by the ICO, and that passing it will guarantee that your organisation will be GDPR-compliant.