This article is not about discrediting any GDPR practitioner courses, certifications, or people who are part of them. But emerging privacy profession and data protection professionals need to strive for credibility, starting with clear language.
1. ‘GDPR practitioner’ is not like ‘F-35 pilot’
It might sound cool to say you are a GDPR practitioner at a time when everyone is talking about GDPR. But there is a difference between a pilot saying they are ‘Airbus A330 pilot’ and a privacy professional saying they are ‘GDPR practitioner’. The truth is, as a pilot, you can only fly one aircraft at a time. But as a data protection professional, you may need to refer to other laws and regulations that touch on privacy, most notably the relevant Member State laws or the jurisprudence of both EU- and CoE courts when it comes to human rights issues. Someone who thinks European privacy begins and ends with GDPR might be a liability in the privacy profession.
2. Data protection and privacy are not from yesterday
This brings me to another point of contemporary understanding of GDPR as something completely new in the EU, the UK, and other Member States’ laws. GDPR in multiple ways, from data protection impact assessment and pseudonymisation, to the introduction and position of the Data Protection Officer, revolutionises the way businesses are supposed to address privacy. But if your company has so far been processing personal data without due regard to Data Protection Directive 95/46/EC and Data Protection Act 1998, it is absurd to think GDPR in May 2018 is more relevant for you than these two documents right now. Looking at the fines imposed by the ICO and other Member States’ bodies to date, it becomes clear today’s data protection compliance is a real issue that any GDPR adaptation exercise needs to build on.
3. Privacy is global and interdisciplinary
In a world of the cloud and borderless apps, there is more than even a need for comparative regulatory knowledge and interdisciplinary approaches. Focusing on one document, no matter how influential and multi-jurisdictional at a certain moment, misses the point. A GDPR practitioner might understand the provisions of the GDPR, but does he or she understand broader privacy implications of phenomena such as IoT or SaaS?