How an ISO 27001 expert can become a GDPR data protection officer
If you are an ISO 27001 practitioner, you are a professional trained to establish, implement, maintain, and continually improve a risk-managed Information Security Management System (ISMS). You probably already know that many of your skills and expertise are useful also in implementing the EU GDPR.
So, in order to increase your job opportunities, you may wonder whether your knowledge is enough to be a data protection officer (DPO) under the GDPR, or if there is something missing that requires extra education. Find the answer in this article.
What is the main difference?
First, it must be clear that we are dealing with two different professional roles with specific roles, responsibilities, and approaches to data protection. One of the main differences between the ISO 27001 expert and the DPO is that the former is not a role expressly mentioned in ISO 27001. Such roles arose because of the complexity of implementing the security standard set in ISO 27001.
Learn more about the job of the DPO in the article The role of the DPO in light of the General Data Protection Regulation.
What are the different responsibilities between an ISO 27001 security officer and a DPO?
Before we explain more details, let’s clear out why these two roles should be separated. An ISO 27001 expert is fully involved in the risk management associated with all the business processes. He manages, trains, and coordinates all aspects of information security in company activities.
The data protection officer, instead, has a different role. The DPO is an intermediate and independent role between data subjects, data controllers, and supervisory authorities. He/she gives advice to the controller and the processor on the obligations pursuant to the GDPR and the data protection laws and regulations of Member States. He checks compliance with the GDPR with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits. DPOs also provide advice where requested in regards to the data protection impact assessment, and monitor its performance pursuant to GDPR Article 35.
The DPO will cooperate with the supervisory authority in cases of inspection or prior consultation.
The GDPR requires that the DPO is designated relying on his/her professional qualities and expert knowledge of data protection law and practices, and the ability to fulfil all the tasks referred to in Article 39. Therefore, the legal expertise and knowledge are crucial in selecting a DPO, because he/she will be the reference for data subjects to exercise their rights and will deal with the supervisory authority.
What are the different skills required for an ISO 27001 security officer and a DPO?
So, let’s see a comparison of the skills required for an ISO 27001 practitioner and a DPO.
How to overcome this gap – what an ISO 27001 security officer needs to do
If you are an ISO 27001 practitioner, you probably already have some general knowledge of the legal requirements of the EU GDPR, but you might lack the deep knowledge required or (if your aim is to work for a public authority) the administrative rules and procedures of the organisation. You might also lack the ability to balance rights and interests, to investigate interpretation in order to implement the EU GDPR requirements in the right way, and to deal with supervisory authorities.
You might consider investing in extra education to overcome your gap of knowledge. You can consider taking some classes on the GDPR – some of these classes may be online, you can attend webinars on the GDPR, or you might consider participating in seminars on particular aspects of the GDPR. Start following the supervisory authorities’ websites and subscribe to their newsletters to find out about the latest regulations and decisions to understand how they work. If you need more information on the content of the GDPR, or its interpretation, you might consider purchasing some academic books or papers.
In Italy, a decision was made in 2018 by the Regional Administrative Court of Friuli Venezia Giulia, which underlined that being certified as an ISO 27001 Auditor or Lead Auditor cannot be considered a mandatory requirement when a public authority issues a public competition to assign the DPO job. The Court analysed the EU GDPR and the WP29 Group and highlighted that the focus needs to be on legal knowledge, rather than on the skills assessed by the ISO 27001 Auditor or ISO 27001 Lead Auditor certification.
Of course, the Working Party Art. 29 in its Guidelines on DPO underlined that there is no need to be “certified” as a DPO; you can give evidence of your knowledge and skills in different ways (e.g., by participating in seminars or webinars, by writing articles on legal aspects, and so on), and you can also overcome your knowledge gap by taking education limited to the aspect you are missing by attending specialised events or reading academic or specialised papers.
However, take your time and think about what will work best for you.
To learn how to handle the GDPR, enrol in this free online training: EU GDPR Data Protection Officer Course.
About the author:
Alessandra Nisticò is a lawyer focused on the GDPR, internet law, European law, and innovation themes that help companies and persons to orient and defend themselves in the digital world, developing its potential.