Certs, Certification, and Ring Chasing Gollums

By Dr Katherine O Keefe
July 17, 2020
36min read
image of a fake certificate of certified certification

Data Literacy is becoming a thing, and there is an increasing focus in a number of areas on the question of certification and accreditation of skills. As a consultancy and training company Castlebridge has been at the forefront of Data Protection and data management training for over a decade, and we are proud of our record. In addition to helping skills and expertise through public, tailored and bespoke training to meet our clients’ needs in Ireland and internationally, our expert trainers have been and behind the syllabus and wandering around the lectern in a lot of other training in Ireland.  Daragh O Brien was a consultant on the design of the syllabus for the Law Society of Ireland’s Certificate in Data Protection Practice (which both Daragh and I lecture on), the Data Protection courses offered by Public Affairs Ireland are designed and delivered by us, and University College Dublin’s Professional Diploma in Data Protection and Governance also has a syllabus designed and delivered by familiar faces from Castlebridge. Daragh was also involved in the Irish Computer Society’s development of a training syllabus way back in the dark ages. Some of our expert trainers have also been involved with the design and development of an internationally recognized professional certification and accreditation scheme for Data Management.

However, as proud as we are of our high standards for training and skills development, we do not offer “certification”, and some clients and prospective clients have asked us why this is the case. It’s a topic we discussed at length last year on our podcast.

If you’ve sat in on any of my GDPR training sessions in the past few years,  you may remember me basically answering this with a joke slide, while warning about the snake oil sales of “Certified GDPR Practitioners”   (You can get it on a mug if you want!)  The rise in 2017 and 2018 of a certain element of unscrupulous operations claiming to be “GDPR Certified Practitioners” or “GDPR Certified Professionals” was something that scrupulous data protection practitioners were careful to avoid being associated with.  The slightly longer short answer to the question “why don’t you offer certified training or certification” is, “because we do not lie to our clients.”

To answer more comprehensively and with a little less joking though the question of certification or certified training is one of standards and governance.  What is the difference between a certificate and a certification?  What kind of certification can people offer?  What is the standard by which a certification or accreditation is measured by?  Who approves or accredits a certification? What does it mean?  What are you measuring, and what governance mechanisms are in place to ensure that measurement is fit for purpose?

A certificate reflects completion of training or accomplishment of intended learning outcomes (for instance, as evidenced through completion of an assessment or exam). We are happy to give our trainees and delegates a certificate at the end of our course and to assess their learning against a set of learning objectives.

Certs, Certification, and Certifed: Are we certifiable?

A certification is a very different thing to offering a certificate.  Then, the next question you are asking is what is being certified . . . the course provider? The course? Or the practitioner?

Understandably, both people looking to develop their career credentials as data protection practitioners or Data Protection Officers, and companies looking to ensure they hire appropriately skilled professionals to act as their DPO would like to be able to refer to established credentials.  The GDPR does set forth measures for the establishment of a certification mechanism or accreditation scheme for Data Protection training. France’s CNIL is an example of a regulatory authority which has approved standard for training courses, and a certification scheme for competencies of the DPO. The Irish Data Protection Commission has not established or approved such a scheme, and having an approved training qualification to be able to show a badge that you are a “qualified DPO” isn’t the end-game for competence in a DPO role . In a recent panel discussion on The Independent and Effective DPO,  Assistant Commissioner MB Donnelly emphasized that the required skills for a qualified and effective DPO were not just knowledge of relevant data protection law, but knowledge and understanding of your organization’s data and processes. It is also worth noting that the EDPB has put a clear line in the sand that, as a general rule, they will not be engaging in the certification of individuals but will instead be focussing on the quality assurance of certification bodies.

Educational bodies may be accredited to deliver a degree or certificate awarded at a particular level on a standardized framework (for example, a Bachelors or Masters degree, or a Professional Certificate).  Similarly a QQI award is a standard which gives external validation accrediting that training courses are designed to an established syllabus with quality assurance.  An added bonus of systems like QQI and formalised academic education is that they map qualifications to an objective Qualifications Framework (the EQF) so that the level of the “certification” and the depth of study or practical experiential learning involved can be assessed. “Certified CPD” training generally simply verifies that a delegate was present for a set training course.

The best-known “certification” exams used by Privacy and Data Protection professionals are the IAPP’s “Certified Information Privacy Professional” and the IAPP accredits their certification exams through the American National Standards Institute, for conformity to ISO 17024. This standard  offers a standard for Personnel Certification processes and is a statement of conformity to the standard set of processes, activities, and controls required for an effective badge generation process.  If you meet this standard, that essentially means you as an awarding body have met a set of benchmark requirements for your structure resourcing and staffing as a legal entity, records and information requirements, awarding certifications with impartiality independent of any training you may offer, and that you describe the competencies or knowledge you examine, and test those competencies.

The Badge Making Process: What does “Certified to ISO17024” actually mean?

My colleague Daragh has been involved in the development of professional certifications to this standard and, while it is not for the faint of heart to attempt, it is very much focussed on the process by which the certification is developed and the structural and financial resources of the certifying body. What it doesn’t do is ensure that the competencies examined are the relevant skills needed for the role of a DPO, other than what the certifying body might have identified in their definition of the job and task descriptions for the role, usually based on some form of job analysis study conducted by the organisation. So, it’s often a consensus reached by a professional membership body, based on input from whoever was consulted in the job analysis study, as to the skills and competences needed for the role. Here’s an example of a job analysis study that Daragh was involved in in the early 2000s. This job analysis should then inform the required body of knowledge and associated exam blueprints for the certification. ISO17024 just tells people you’ve done that to a suitable level of detail, have competent people running the show following defined processes, and you’ve money in the bank so that you won’t disappear into the night leaving badge-holders high and dry.

I have developed certification exams as the VP for Professional Development in DAMA International. I project managed the rebuild of the CDMP certifications and navigated the challenge of defining the learning objectives and examinable elements of the DMBOK and the associated data management disciplines and the development of the question banks for the initial CDMP relaunch in 2017. A key factor that needs to be considered in any professional organisation’s exam and certification scheme is the inherent risk of bias of the volunteers in those organisations contributing to the development of the certification scheme and the job analysis study that might underpin any exam. It is a difficult truth to face that many professional organisations can be inherently “small p” political in their operations behind the scenes and it is often difficult for those outside the tent to fully appreciate the dynamics of how the certification sausage factory actually works.

Professional bodies such as the IAPP, IQ International, and DAMA International offer certification schemes with logos and marks available to people who have passed their exams and met any other relevant criteria. While these bodies may offer training or membership tailored to the set syllabus or body of knowledge their exams are based on, you don’t need to take their approved or “certified” training to pass their exams. Additionally, a number of expert practitioners in the fields represented by these professional bodies have been highly critical of the value of the certification badges, as they ultimately represent the ability to pass a multiple-choice exam. No matter how rigorous the pedagogy underpinning the exam creation, this is not the same as having actual experience, knowledge, or insight and, in many cases, should be regarded as the start of a learning journey to develop competence and mastery of a field rather than a formal attestation of excellence.

The question of CPD, which is often a requirement of maintaining professional certifications or qualifications, is equally one that is also often misunderstood. At its simplest, CPD means being able to present to an accrediting organisation, a record of things you have done to maintain your professional competence during a defined period. The real requirement here is to keep records of what you read or wrote, what events you went to or spoke at, and (in professional organisations) how much grunt work you did on behalf of the organisation in pursuit of its goals. This might be audited. It usually isn’t. One professional body we know of awards CPD points for materials downloaded from their website. We assume any audit of that CPD would include a pop quiz to make sure people actually read the materials.

What does all this mean?

So, what does this mean for people looking to develop their skills in data management disciplines? And what does it mean for people who are trying to hire or recruit appropriately skilled staff? Are the badges worthless?

Don’t get me wrong. This isn’t a case of “Badges, we don’t need no stinking badges”. For people looking to develop their skills any learning is good, and any badge is ultimately evidence that you have made a commitment to professional development and growth in a skill set. Much like a martial artist may attend different schools and learn from different teachers, or a ballet dancer might seek opportunities to take classes with mentors or prestigious companies, the pursuit is ultimately one of developing mastery and competence in a field. In both contexts, the belt or badge attained is just a milestone marker on a journey. What is more important is the mastery of technique and the development of the competence to act and react correctly in novel situations or when everything is going wrong around you.

So, if you are looking to develop and grow your expertise and credibility, there is a lot to be said for things like blogging, volunteering with relevant professional bodies, speaking at conferences or on webinars, and generally doing the types of thing that get CPD points for a badge but doing them in a way that actually supports and evidences your personal and professional development. Apart from anything else, it helps build your network of experts who you can learn from. From my involvement with DAMA International for example, I have developed a strong professional network that includes people like Michelle Dennedy, Pat Walshe, @RMGirl (Emily Overton), and many others. I have also picked up a few accolades along the way (runner up in the IRMS Alison North New Professionals, a Professional Achievement award from DAMA International, and some other things in the pipeline that I can’t talk about just yet).

If you are trying to evaluate the value of a particular trainer or training (as opposed to a cert or certification), this blog post Daragh wrote back in 2015 is still a useful and relevant guide.

For recruiters, it’s important to look behind the badge at the person. Are they ticking a box in their resume bingo card with that badge or are they someone with deep competence, passion, or insight? In a market where “instant experts” can get the same badges as anyone else, the possession of one badge or another shouldn’t be the evidence. Look for things like: do they write about these things in a personal blog? Do they volunteer data protection or data management skills with a charity or community group? Are they actively involved in developing standards in the profession through membership or leadership of a professional body or networking group? These things will help you determine if the person in front of you is Data Management Wizard or just a Certification Gollum chasing shiny rings.

Related Insights


Keep up to date with all our latest insights, podcast, training sessions, and webinars.

This field is for validation purposes and should be left unchanged.