Saturday 11 February 2012

What privacy qualifications are worth having, these days?

Given the changes that are anticipated in the European privacy rules in the next few years, some friends have been asking themselves whether there’s much point in obtaining a privacy certification right now. Is there really that much point in achieving an accreditation about a body of knowledge that shortly could change quite radically?

My response to such questions has been to argue that there’s no point in putting off that fateful time when a formal privacy certification is obtained, because hardly anyone (outside the accredited parties) actually knows what body of information it was essential to master before the accreditation was awarded. So, it probably won’t matter if the privacy rules change soon, because not that many people know how relevant the current certifications schemes are.

I speak as someone who is not yet formally accredited, so I don’t really know how hard you need to study to obtain them, nor how relevant they really are to a data protection professional, either. Sure, they appear to impress the HR professionals, who like sifting potential applicants in terms of their formal knowledge base, but what practical use are they once a data protection professional actually sets out to do their day job? Does an HR professional favour an individual with 5 years data protection experience and a professional qualification over someone with, say, 20 years data protection experience but with no formal qualification?

Well, I’ve decided to find out. I’m about to seek two types of accreditation, so that I can compare them and offer some views on their relative merits.

The first type is the traditional approach, and I’ve enrolled on a series of courses that will lead to the ISEB qualification. Between February and April I’ll be studying under the careful eyes of Sue Cullen and Chris Pounder of Amberhawk. And I do hope I won’t let them (or me) down. Having paid for the course myself, I’m committed to completing the coursework immediately after each of the 5 modules, to reinforce the day’s learning. I’m also committed to completing a series of set written assignments, and to attend a mock exam to refresh my experience of exam conditions. With a study commitment of, say, 60 hours, I’m hoping that I’ll pass first time, and I’ll then be able to blog more authoritatively about its value.

The second type is the approach recently introduced by the International Association of Privacy Professionals, which will give me a CIPP/E privacy certification once I’ve passed the basic Foundation Course, and subsequently the European component. The foundation course looks at the common principles and general approaches to privacy, information security and on-line privacy. The European component will require me to demonstrate a deeper knowledge of pan-European and national data protection laws, the European model for privacy enforcement, key privacy terminology, and practical concepts concerning the protection of personal data and trans-border data flows. I have to read a course book to acquire the relevant information, and can take an (optional) intensive refresher training session before the computer-based multiple choice exam occurs. I will be expected to have to demonstrate knowledge of laws in a variety of EU Member States, even if I work for a data controller whose operations are focused on just one EU Member State.

And that’s about as much as I know about these professional qualifications, so far. What I am keen to find out (and subsequently blog about) is whether I learn much from the training, whether the knowledge helps me in my daily job, and whether the accreditation is appreciated, either by my peers or by potential employers.

I have no pre-set agenda, here. I don’t know how useful I’ll find these different certification courses to be. But I will try to share my experiences, however good or awful. Will I blog about disproportionate hope, followed by raging despair? Or, will there be a happy ending? Time will tell.