Professions relating to the processing and protection of personal data (DPO Reg. (EU) 2016/679 and UNI 11697: 2017)

Context – The European Regulation 679/2016

The General Regulation of the European Union no. 679 of 2016 acknowledges the critical issues that the digitalization of all the productive and administrative contexts entail, related to the management of the data.

The application of the Regulation, already in force and which will become mandatory as of May 2018, involves important changes with respect to the privacy management regulated by the legislation currently in force, namely the Legislative Decree 196/2003.

Organizations will be called upon to equip themselves with structures, skills and processes that guarantee the effective application of all the rights that the European Union guarantees to the citizen regarding the conservation, transmission and deletion of personal, particular (ex-sensitive) and judicial data.

For non-compliant organizations, penalties are provided that might also reach 2% of their turnover.

To better manage these important changes and the subsequent system for data management, the European Regulation provides figures with legal, IT, risk management and process analysis skills.

The UNI 11697: 2017 standard

“Professional profiles related to the processing and protection of personal data – Requirements for knowledge, skills and competence”

The Italian UNI Standardization Body issued in November 2017 the UNI 11697 standard, which regulates the “professional profiles related to the processing and protection of personal data”.

The standard identifies four professional figures and regulates the knowledge, skills and competencies that data protection personnel must have. Furthermore, it establishes the tasks that each of them is called to cover.

The Data Protection Officer (DPO)

The DPO is a figure whose appointment is mandatory in the following cases:

  1. processing is carried out by a public authority or a public body, with the exception of the courts when they exercise their judicial functions;
  2. the main activities of the Data Controller or the Data Processor are treatments that, due to their nature, scope and / or purpose, require regular and systematic monitoring of data subjects on a large scale; or
  3. the main activities of the Data Controller or the Data Processor are the processing, on a large scale, of particular categories of personal data referred to in Article 9 (sensitive special data) or of data relating to criminal convictions and crimes as referred to in Article 10.

The obliged organizations and those who decide to make use of this figure can appoint a DPO within them or as an external consultant. The DPO, which appears to be a managerial figure for the important responsibilities delegated to him, must deal with:

  • advice and information to the involved company figures (Owner and Managers) and to the employees who carry out the treatment, in relation to current national and European legislative obligations;
  • tracing the necessary risk management procedures in collaboration with the top managers of the organization;
  • monitor the effective application of the Regulation, both as regards the software and hardware equipment, and for the awareness of the figures involved;
  • evaluate the implementation of data protection procedures on the production and services of the Organization;
  • interfacing with the control authorities, regarding pre-authorizations, communications and possible controls.

The DPO, through professional background and specific training, must be in possession of managerial, legal, educational, technical skills to ensure the organization full compliance with the Regulations and then take advantage of the high added value that proper data management ensures to the customer.

The certification for this profile according to the UNI 11697 standard requires a 4-year minimum experience in the sector, which increases according to the qualification held, and an 80 hours training.

The Privacy Manager

The DPM is a figure identified by the UNI 11697 standard, which operates within the Organizations or acts as a management consultant. It is the figure that interfaces with the DPO and coordinates all the figures involved. It combines specific knowledge with business management techniques, with specific reference to Innovation Management, in order to guarantee an optimal transition and a constant innovation-oriented vocation.

The certification for this profile according to the UNI 11697 standard requires a 4-years minimum experience in the sector which increases according to the diploma had, and a 60 hours training.

The Privacy Specialist

The task of the Privacy Specialist is to support the DPO and the Privacy Manager in the implementation of IT and organizational systems.

It is a more operative figure, but with a high level of technical knowledge and all the skills necessary to implement and maintain privacy systems.

The UNI 11697 standard provides a minimum of 24 hours of training and 2 years of professional experience.

The Privacy Evaluator

The evaluator is the figure who, in possession of the necessary technical knowledge, verifies as an internal or external auditor the legislative or regulatory compliance of data protection systems. In addition to adequate technical and legislative skills must therefore be in possession of audit techniques and strong reporting skills.

The minimum specific training for the privacy evaluator is 40 hours, with 3 years minimum work experience related to privacy.

AJA Europe Srl

AJA Europe Srl is a Certification Body that operates in the certification of people according to the ISO 17024 international standard. It has ACCREDIA accreditation for years for the certification of numerous technical and managerial professional figures, including the profile of the Security Professional recognized by the Ministry of the Interior and is currently in Accreditation for the UNI 11697 standard.