Data Protection Officer, close to a unified certification scheme … and more

By | Sunday February 5th, 2017

After more than a year of work, the draft of a national UNI/UNINFO standard defining profiles and competences of data protection and processing professionals reached its final public inquiry stage.

One of the declared goals is to bring common, shared rules to avoid a “far west” effect on a market already crowded by proprietary initiatives, none of which is qualifies professional work as required by law 4/2013. Some of the promoters of such initiatives have also decided to take part to the works for the new national standard sadly preferring an obstructionist approach to a collaborative one but the standard is now close to the publication.

This standard is the result of a collaboration declared from its early days between legal and ICT experts coming from two UNI and one UNINFO committees. It fully takes into account both the relevant contents of EU Regulation 2016/679 and the more recent guidelines expressed by WP 29, joining knowledge requirements of applicable laws, of information systems and of protection/security techniques, increasingly dominant in our modern society.

Starting from a general solid approach already recognized at both European and national level (EQF and e-CF), enriched and brought closer to not-ICT contexts, a “minimal” set of professional profiles has been defined. This set includes a DPO aligned with the new EU Regulation 2016/679, a manager profile, an operational profile and an external evaluator profile. Those profiles have been conceived to provide, individually or aggregated, a full support to controllers and processors to the correct management of personal data.

Considering the adoption scheduled for May 2018 of the new EU Regulation 2016/679 and of the novelties inside it, there is a solid need of them. One of the biggest innovations is, for example, the passage from “static” security measures as those defined in Annex B of d.lgs 196/2003 to measures defined as a result of impact and risk assessment activities, which obviously require specific competences also related with the technological development of the most recent fifteen years.

Once the public inquiry will be over (it is now accessible and open to public comments on the dedicated page http://www.uni.com/index.php?option=com_wrapper&view=wrapper&Itemid=900 referencing the project’s code E14D00036, whose goal is to trigger valuable feedbacks of stakeholders not already involved in tehe development of the standard) Italy will be the first nation to have such a national scheme and could suggest its adoption at a European level, being once more not the last but the first carriage of the train.

Category: Data Protection Officer Tags: , , ,

About fguasconi

Graduated in computer science, he’s been working for 10+ years within information security consulting, focusing on risk assessment, security and compliance management using international standards. Certified CISA, CISM, ITIL and ISFS, he is a qualified ISO 9001 and ISO/IEC 27001 auditor, having edited the Italian translations of the latter standard. Coauthor of the CLUSIT handbooks on PCI-DSS and on professional certifications, is an active QSA and a regular presence into events and publications on information security. Chairs the Italian ISO/IEC SC27 of UNINFO and sits in its board of directors, as for CLUSIT. He is a co-founder and president of the consulting firm BL4CKSWAN S.r.l.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.