Antoni Bosch-Pujol (Europe) - Concern for Data Protection and Privacy Motivates CDPP Program

Data Protection and Privacy are a strategic element in a globalized world. In fact, security-privacy can become a very controversial subject.

Almost on a daily basis, the mass media broadcast pieces of news related to leaks, data losses or massive publication of sensitive - or even critical- personal information on behalf of companies and institutions in different countries.

Recent reports published by the Spanish National Institute of Communication Technologies (INTECO) show worrying data, such as that only 14% of SMEs in Spain know the Spanish Data Protection Regulation lead to the Data Protection Act (in force since April 2008). Of the total number of small & medium size businesses with automated files, just 37% say they have declared themselves on the Spanish DataProtection Authority (AEPD) registry. It has been found that only 16% have actually declared, which makes the figures even worse.

In contrast with this lack of awareness, experts agree on the idea that both at national and international levels, we are heading towards an environment where reputation related to personal data protection will have an increasing importance. Nonetheless, organizations still do not pay the necessary attention to this issue, and the Data Protection Officer (DPO) is not recognized enough in Spain, despite the fact that reports from Article 29 Working Party and the European Commission have been supporting the need to create it for years.

The ENISA Working Group on Privacy & Technology report identifies major gaps and challenges in privacy and data protection induced by technology, and makes specific recommendations targeted at various stakeholders (e.g. EC, industry, academia, Data Protection Authorities, ENISA, consumer organizations etc.).

The growing importance of the person responsible for privacy, the importance of data protection, its close link to the information security governance, and the necessity of a reference certification in this field are the main reasons for launching the Certified Data Privacy Professional (CDPP) program.

The objectives of the program are:


  • To develop and mno,aintain a testing instrument that could be used to evaluate individual competency when conducting Privacy Implementations and Audits
  • To provide a mechanism for motivating Data Privacy Professionals, and to maintain their competencies, while monitoring the success of the maintenance programs
  • To aid top management in developing a sound Privacy Governance by providing criteria for personnel selection and development


The certification is an initiative of the Data Privacy Institute (DPI-ISMS), created by ISMS Forum Spain last July. The expert committee has been working on the certification program classifying the tasks in seven areas or domains and rated the relative importance of each of the seven domains to privacy and security.

1. Privacy Fundamentals (5%)

2. Legal Framework (Laws and Practices) (22%)

3. Specific Scope (Public and Private) (18%)

4. International Scope (10%)

5. Protection of Information Assets (15%)

6. Incident Management and Response (10%)

7. Information Systems Audit and Control (20%)

For those of you interested in becoming a CDPP, the next examination is to be held in June of 2011. In addition, the certification is likely to be granted to those professionals who can prove they have relevant professional experience, according to the criteria established by the experts committee, and following a grandfathering scheme, similar to those used in other renowned international certifications.

Antoni Bosch-Pujol is CEO at Institute of Audit & IT-Governance (IAITG), Director of Data Privacy Institute (DPI-ISMS) and Founder/President ISACA-Barcelona Chapter.


« Raj Samani (Europe) - The Cloud Computing Conundrum


Brandon Faber (Africa) - The Five Stages of Data Loss Grief: Formulate a Disaster Recovery Plan to Prevent Business Data Loss »