Why I’ve given up my CIPP/E

A couple of years ago it was a good idea to go for certification in European Privacy with the International Association of Privacy Professionals (IAPP). This was for a number of reasons, both for the clients I worked with at the time and personal for me as a data protection professional (I had been after it for some time).

Having now been through the process, exposed to the training messages and the organisation itself when my renewal of this certificate came about I decided to think long and hard about where I wanted to go with my professional qualifications.

For context, I've worked in the world of 'Information' for coming up to 10 years across various sectors. I won't list my qualifications as you can see them on my profile (and I suffer from imposter syndrome) but you get my point, I'm no longer a 'new hat' to the information table. So while I don't claim to have more certifications than sense (well, I hope not anyway) I did ask myself what was the point of the CIPPE? Especially as it would cost me personally at least £500 to renew it (or £1700 if I let it lapse and then re-apply).

Let's deal with the obvious point first. It is a lot of money no matter which path you walk. Money which I simply just don't have at the present time with one pressure and another on my income. Therefore would having the CIPPE mean that in the future I may have that money and could sustain it? Possibly... possibly not. I know that in some UK specific industries (the public sector for example) it holds very little value so for any UK specific career, it would not hold much potential or value. But for multinationals, they do look for the CIPPE or something similar. For me, therefore, value for money is a question left unanswered as I currently don't limit myself to one sector or another. Variety is the spice of life as they say.

If you want to accuse me of not renewing based on cost alone, therefore, you are more than welcome to. You would be wrong, but you are welcome to make that accusation which is why I mention up front.

However, another aspect of value is content and relevance. For those of you that do not know, unlike the BCS certificate, to maintain the CIPPE you need to submit your CPD points and ensure you are keeping up to date with your learning and progression. So from an "I can show people I've continually learnt and improved my learning" it would certainly tick the box. It also encourages me to lift my nose up from my daily workload and make sure I am getting out to see what might be coming down the road to affect me.

What of the content that they actually teach you? What do I learn from sitting the CIPPE exams that I didn't learn before? Well, at the time (2015) IAPP freely admitted (well the trainers did at least) that the content was out of date and wasn't due to be updated for some time. They did outline that this would change in the years to come but for that round of 'intake', it would be as it was. Forgive me, but those qualified need to keep up to date with changes but the course content does not? I wasn't impressed at that, and I certainly wasn't impressed with the fact we had to learn incorrect content to pass the exam only to discard it because the world had moved on. I believe it has now been updated in the interests of fairness but that 'meh' attitude has stayed with me.

The exam did, however, teach me more about the relationship between privacy and data protection and was very useful for extending that understanding. But it was more of a geekiness history lesson more than a practical this is what it therefore means. The exam was fairly detailed and difficult, and the electronic testing centres were, to say the least, in some weird and wonderful places. I can now safely say I've seen what lies behind the security door in a post office somewhere in South West London. They keep IT exam centres behind there, who knew?

The lessons themselves were interesting. This was mainly due to an issue that cropped up with one of the trainers. This particular trainer maintained that Data Controllers would not use legitimate interests as a ground for processing they would use others instead. When we pointed out that Councils do, Businesses do, and that's pretty much how the Credit Reference Agencies currently do it they still maintained their view. When you know more about practical DPA application than your teacher you instantly start to disconnect and lose a little respect for them. Now to be clear that is not in the curriculum that I can see, so it could just be a one-off comment from one particular teacher. But for me, and my experience with it, it's a no.

For those of you that see any IAPP documentation and forums there is a big 'push' or 'culture' within IAPP that privacy professionals are legally trained in some form, usually a lawyer of some shade. There was even an 'online argument' about it roughly a year ago when there was yet more material published that geared privacy professionals towards a legal background and certification rather than a practitioner.

This "the law is for lawyers" attitude is something I've seen before, especially in US owned multi-nationals. If you're not a lawyer, then you can't possibly be a Privacy Officer and certainly not a Data Protection Officer. Which, if you have seen my previous comments on the matter, is the biggest pile of drivel I have ever heard. Many of the practitioners I have seen that get information handling and are doing some amazing stuff to get DP right in their worlds are not any sort of shade of lawyer. So to even remotely put forward a viewpoint that DP & Privacy should be the domain of the lawyer is nothing short of elitist and short-sighted.

So I'm faced with a personal choice. Re-certify and demonstrate to a business that I am certified to that organisation's standards, or not and demonstrate capability some other way. As you can probably tell, I have opted for the latter. In my various roles and working with various information practitioners of all levels and experience I would rather be known as someone practical, experienced and recommended than someone with a CIPPE that talks a good legal show but delivers naff all. Practical experience, recommendations, continuous exposure, growth and discussion are my path and I stand by those. I will seek certification with whatever scheme or requirements come in under GDPR, and if that ends up being this then, while that would be a step in the wrong direction, in my opinion, I will eat humble pie and do it.

The 'Data Protection Professional' faces a time of change and uncertainty. While I don't claim to be a leading authority on these things I am someone out there, on the ground dealing with what Data Protection means for your everyday man, woman and child. Any qualification or professional standards for Data Protection and/or Privacy Professionals should always be practice-based, accurate and should be open to all those of any level or background that wants an understanding of what DP/Privacy is and what it means in today's world.

Leave a Comment

Your email address will not be published. Required fields are marked *