Requirements for professional profiles related to personal data processing and protection

The standard defines the requirements related to the professional activity of subjects active in the processing and protection of
personal data, namely the intellectual profession that is pursued at different levels of complexity and in different organizational
contexts, both public and private.
These requirements are specified, starting from the specific tasks and activities identified, in terms of knowledge, skills and
competence, in accordance with the European Qualifications Framework - EQF and are expressed in such a way as to facilitate and
contribute to harmonize, as far as possible, evaluation and validation processes of learning outcomes.

Anforderungen an Berufsprofile im Zusammenhang mit der Verarbeitung und dem Schutz personenbezogener Daten

Dieses Dokument definiert die Anforderungen an die berufliche Tätigkeit von Personen, die im Bereich der Verarbeitung und des Schutzes personenbezogener Daten tätig sind, d. h. an den intellektuellen Beruf, der auf verschiedenen Komplexitätsniveaus und in verschiedenen organisatorischen Kontexten, sowohl im öffentlichen als auch im privaten Bereich, ausgeübt wird.
Diese Anforderungen werden ausgehend von den identifizierten spezifischen Aufgaben und Tätigkeiten in Form von Wissen, Fertigkeiten und Kompetenzen in Übereinstimmung mit dem Europäischen Qualifikationsrahmen (EQR) spezifiziert und so ausgedrückt, dass sie die Evaluierungs- und Validierungsprozesse von Lernergebnissen erleichtern und so weit wie möglich zur Harmonisierung beitragen.

Exigences relatives aux profils de professionnels en lien avec le traitement et la protection de données à caractère personnel

Le présent document définit les exigences relatives à l'activité professionnelle des personnes intervenant activement dans le traitement et la protection des données à caractère personnel, à savoir la profession intellectuelle menée à différents niveaux de complexité et dans différents contextes organisationnels, à la fois publics et privés.
Ces exigences sont spécifiées en des termes de connaissances, d'aptitudes et de compétences conformément au cadre européen des certifications (CEC), en commençant par les tâches et activités spécifiques identifiées, et sont exprimées de telle manière à faciliter et contribuer à harmoniser, dans la mesure du possible, les processus d'évaluation et de validation des résultats d'apprentissage.

Zahteve za poklicne profile v zvezi z obdelavo in varovanjem osebnih podatkov

General Information

Status
Not Published
Public Enquiry End Date
16-Dec-2021
Technical Committee
Current Stage
5020 - Formal vote (FV) (Adopted Project)
Start Date
24-Jul-2023
Due Date
11-Sep-2023

Buy Standard

Draft
prEN 17740:2021
English language
52 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN 17740:2021
01-december-2021
Zahteve za poklicne profile v zvezi z obdelavo in varovanjem osebnih podatkov
Requirements for professional profiles related to personal data processing and protection
Anforderungen an Berufsprofile im Zusammenhang mit der Verarbeitung und dem
Schutz personenbezogener Daten
Exigences relatives aux profils de professionnels en lien avec le traitement et la
protection de données à caractère personnel
Ta slovenski standard je istoveten z: prEN 17740
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN 17740:2021 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 17740:2021

---------------------- Page: 2 ----------------------
oSIST prEN 17740:2021


EUROPEAN STANDARD
DRAFT
prEN 17740
NORME EUROPÉENNE

EUROPÄISCHE NORM

October 2021
ICS 03.100.30; 35.030

English version

Requirements for professional profiles related to personal
data processing and protection
 Anforderungen an Berufsprofile im Zusammenhang
mit der Verarbeitung und dem Schutz
personenbezogener Daten
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.

If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.

This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own
language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

---------------------- Page: 3 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Professional profile tasks and specific activities . 7
5 Knowledge, skills and competencies associated with professional activity . 8
6 Elements for the evaluation and validation of learning outcomes . 34
Annex A (informative) Index of skills and knowledge . 37
Annex B (normative) Requirements for professional profiles access . 50
Bibliography . 52

2

---------------------- Page: 4 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
European foreword
This document (prEN 17740:2021) has been prepared by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data protection”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
3

---------------------- Page: 5 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Introduction
The definition of requirements for professional profiles in the field of processing and protection of
personal data are necessary to establish the fundamental set of knowledges, skills and competences that
distinguish such profiles.
The standard applies to the professional profiles in the identified area, regardless of the working methods
and type of employment relationship. Tasks and activities related to the profession are described on the
basis of all functions actually performed by professionals working in the field of processing and
protection of personal data in different work contexts. These functions are varied and concern technical,
administrative, cultural, scientific and legal aspects.
This standard adopts the reference European framework for the definition of competences and related
skills: EN 16234-1. For related ICT-oriented profiles, such as for example the system administrator,
please refer to CEN CWA 16458-1.
The profiles defined in this standard are not intended to be exhaustive and are applicable regardless of
the work placement of the subjects operating in the sector.
The main intended audience of this standard comprises professionals seeking guidance regarding their
professional development, enterprises defining their internal data protection organization and related
hiring requirements, bodies providing personnel training, accreditation and certification services.
Methodological approach
Within the development of this standard the principles and indications set out in Recommendation 2008
/ C111 / 01 (European Qualification Framework - EQF) and Recommendation 2009 / C 155/02
(European Credit System for Vocational Education and Training - ECVET) were first considered.
From a methodological point of view, it was established in particular that:
• the basic terms and definitions (Clause 3) adopted are, for the most part, derived from the EQF,
ECVET and the relevant terminology commonly used in the European Community;
• the specific terms and definitions of the subject “protection of personal data” are consistent with
those set out in EU 2016/679 Regulation;
• for the description of the requirements of knowledge, skills and competence of a specific professional
profile, it is necessary to start from a preliminary identification of the tasks and specific activities of
the professional profile (Clause 4);
• the requirements of the specific professional profile are defined in terms of knowledge, skills and
competence (Clause 5) and the personal ability expected have also been identified, as far as
applicable. An indication of the levels associated with the specific professional activity, using the e-
CF levels which are directly mapped to the ones within the European Qualifications Framework
(EQF), is also provided;
• the useful elements regarding the applicable assessment methods are defined (Clause 7). These
elements have been developed taking into due consideration what already consolidated within
voluntary technical standardization, also with reference to the normative corpus concerning the
conformity assessment (EN ISO/IEC 17000 series);
• in Appendix A (normative) skills and knowledges applicable to the development of the profiles are
listed;
• in Appendix B (normative) requirements for access to professional profiles are defined.
Furthermore, as far as relevant, the guidelines specified in the CEN Guide 14 were also followed.
4

---------------------- Page: 6 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
1 Scope
This document defines the requirements related to the professional activity of persons active in the
processing and protection of personal data, namely the intellectual profession that is pursued at different
levels of complexity and in different organizational contexts, both public and private.
These requirements are specified, starting from the specific tasks and activities identified, in terms of
knowledge, skills and competence, in accordance with the European Qualifications Framework - EQF and
are expressed in such a way as to facilitate and contribute to harmonize, as far as possible, evaluation and
validation processes of learning outcomes.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 16234-1, e-Competence Framework (e-CF) - A common European Framework for ICT Professionals in
all sectors - Part 1: Framework
EN ISO/IEC 27000, Information technology - Security techniques - Information security management
systems - Overview and vocabulary
EN ISO/IEC 29100, Information technology – Security techniques – Privacy framework
ISO/IEC 17024, Conformity assessment — General requirements for bodies operating certification of
persons
CWA 16458-3, European ICT Professional Role Profiles – Part 3: Methodology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 16234-1, EN ISO/IEC 27000,
EN ISO/IEC 29100 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
formal learning
learning process deriving from training activities, intentional and structured, carried out by entities /
institutions of education and training recognized by a competent authority
Note 1 to entry: Formal learning can involve the issues of certificate with legal value.
3.2
informal learning
learning process deriving from work experiences, from family life and also from leisure time
Note 1 to entry: Informal learning is not a deliberately structured activity and sometimes learning is not intentional.
5

---------------------- Page: 7 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
3.3
non-formal learning
learning process resulting from training activities, intentional and structured, implemented in any field
other than formal
Note 1 to entry: Such a training does not issue a certificate with legal value.
3.4
audit
Systematic, independent and documented process for obtaining audit evidence (records, statements of
facts or other relevant and verifiable information) and evaluating them objectively, in order to establish
to what extent the audit criteria (policies, procedures or requirements used as a reference) have been
met
3.5
validation of learning outcomes
process confirming that certain assessed learning outcomes, obtained by a learner, correspond to the
results required for a specified qualification or part of it
Note 1 to entry: to entry: Certification, in accordance with ISO/IEC 17024, is an evaluation and validation process.
Note 2 to entry: to entry: The recognition of learning outcomes, according to defined rules, by subjects or other
organizations in charge, is also a process of evaluation and validation.
3.6
Privacy Impact Assessment (PIA)
overall process of identification, analysis, evaluation, consultation, communication and planning of the
processing of potential privacy impacts in the processing of personal data, contextualized within the
overall company framework for risk management
[SOURCE: ISO/IEC 29134]
3.7
Privacy Level Agreement (PLA)
level of protection of personal data guaranteed by a supplier in the provision of services to its customers,
conceptually similar to an SLA
3.8
Qualification
formal result of an assessment and validation process, obtained when a competent and impartial
organization states that the learning outcomes of an individual are compliant with technical standards
Note 1 to entry: to entry: Definition adapted from the EQF, Annex I, definition a).
3.9
Results of learning
description of what a person knows, understands and is able to do at the end of a learning process
Note 1 to entry: to entry: The results are described in terms of knowledge, skills and competences.
Note 2 to entry: to entry: Learning outcomes can derive from formal, non-formal or informal learning.
6

---------------------- Page: 8 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
3.10
Service Level Agreement (SLA)
document that defines the technical support or business performance objectives, including measures for
performance and consequences for failure the provider of a service can provide its clients
[SOURCE: ISO/IEC 27039]
3.11
Evaluation of learning outcomes
methods and processes used to define the extent to which a person has effectively achieved one specific
knowledge, skill or competence
4 Professional profile tasks and specific activities
4.1 General
The professional operating in the processing and protection of personal data performs a wide range of
activities, frequently transversal to other business processes, both with respect to the life cycle of the
processing - from design to cessation - and with respect to the examined topics, technological,
organizational, legal or otherwise.
The professional working in the field of processing and protection of personal data thus contributes to
the management or the verification of a more or less extensive set of processes and information systems
involved in the processing of personal data, on behalf of natural or legal persons, such as entities,
institutions, associations, public or private. Legal entities of different sizes may decide either to collapse
related professional profiles into one (e.g. data protection manager and data protection specialist or a
data protection auditor with another auditor) or to have several instances of the same profile within
different responsibility areas, such as geographical or organizational ones. In all cases the separation
between control-related profiles like auditor and data protection officer and the other ones should be
preserved.
At the time of publication of this standard, the maintenance, updating and development of the skills
necessary for the professional activity of the subjects, operating in the processing and protection of
personal data, are not subject to a detailed training path herewith defined. The professional is however
required to follow autonomous or guided paths of continuous professional updating, consistent with the
provisions of paragraph 6.4 and Appendix B.
NOTE: if professionals have already followed previous training courses, not aligned with the indications
of this standard, the certification body will most likely need carry out an analytical comparison between
the path already followed by the candidate for certification and the path illustrated in this standard,
assuming the relative responsibilities.
4.2 Introduction to professional profiles
A series of considerations of an introductory nature and preliminary to the description of the main
professional profiles, referred to in Clause 6 of this standard, is listed below in order to facilitate their
understanding.
Data protection officer
It is a profile corresponding to the professional profile described in EU Regulation 2016/679, art. 39. It is
possible to assign to the profile different tasks and other tasks included in other managerial level profiles,
if no conflict of interest is present.
7

---------------------- Page: 9 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Data protection manager
It is a profile corresponding to professionals with a very high level of knowledge, skills and competences
in a specific organizational context (both a functional area of the organization and a specific sector), to
ensure the adoption of appropriate organizational measures in the processing of personal data.
Data protection specialist
It is a profile corresponding to professionals able to support the Data protection officer and / or the Data
protection manager in developing the appropriate technical and organizational measures for the
processing of personal data.
Data protection engineer
It is a profile corresponding to professionals who are designing and building systems that process
personal data, who have a specialist knowledge of, and responsibility for, related data protection issues.
They can work alongside other software and systems engineers and related technical disciplines, as well
as with other data protection-devoted profiles in an organization both developing and operating those
systems.
Data protection auditor
It is a profile corresponding to independent professionals with knowledge and skills in the IT /
technology sector and legal / organizational activities, able to carry out processing and protection of
personal data, which can still make use of data protection specialists in both areas to carry out audit
assignments.
4.3 Tasks and activities of the professional operating in the processing and protection of
personal data
The profile of the professional operating in the field of processing and protection of personal data
includes a series of fundamental tasks which, without pretending exhaustiveness, are described in the
following Clause 5 (see item “Main tasks”).
A professional operating in the processing and protection of personal data are intended as a person who
has a profile that complies with the aforementioned tasks, and performs, or has the necessary
preparation, to achieve the “Expected Results”.
5 Knowledge, skills and competencies associated with professional activity
5.1 General
Each professional profile in this chapter is structured with a short description synthesizing it, the pursued
mission, the deliverables of which they are accountable, responsible or contributor, the specific
performed main tasks, competences defined according to EN 16234-1 and CWA 16458-3 are identified
within the “Competences e-CF” section with related skills and knowledge and the KPIs measuring their
performance.
5.2 Data protection officer professional profile
Short description
Advises Controllers or Processors for the application of EU Regulation 2016/679.
Mission
Advises Controllers or Processors with respect to the risks of data processing activities to ensure
compliance with EU Regulation 2016/679 and other local data protection provisions.
8

---------------------- Page: 10 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
1
Deliverables
Accountable
• Regular risk-based reports on compliance with laws regarding personal data protection.
• Documentation in support of the request for consultation addressed to data protection authorities,
according to the development of data protection impact assessment pursuant to Regulation
2016/679.
• Requests for consultation with data protection authorities on specific application issues.
• Documentation supporting the interface with the data protection authorities (requests for
information, assessment procedures or testing etc.).
• Documentation (including forms) supporting the interface with the interested parties.
• Indicators on the protection of personal data.
• Advice with respect to inquiries regarding data protection law and its application.
• Responsible
• Opinions on data protection impact assessments pursuant to Regulation 2016/679.
Contributor
• Attribution of responsibilities in the processing and protection of personal data.
• Budget for the protection of personal data.
• Policy for the protection of personal data.
• Data protection notices.
• Requirements for the processing and protection of personal data.
• Operating procedures for processing and protection of personal data.
• Development of a Data protection impact assessment.
• Evaluation of the risk related to information security.
• Risk management plan related to information security.
• Codes of conduct.
• Answers to data subject exercising their rights.
• Audit program for the protection and processing of personal data.
• Training program, professional development and awareness.

1
Please note that all professional profiles herewith described are not related to legal responsibilities, but only to
operating responsibilities.
9

---------------------- Page: 11 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• Notification of incidents that result in a violation of personal data (to data protection authorities).
Main tasks
• inform and provide advice to the controller and processor, as well as to employees involved in
processing of personal data, about the obligations arising from this Regulation as well as from other
Union or Member State data protection provisions;
• monitor compliance with the Regulation, other Union or Member State provisions on data protection
and the policies of the controller or data controller, regarding the protection of personal data,
including the assignment of responsibilities, the awareness and training of personnel involved in the
processing and related control activities;
• provide, if requested, an opinion on the impact assessment on data protection and monitor its
performance;
• cooperate with the supervisory authority;
• act as a contact point for the supervisory authority for matters related to processing.
The following Table 1 shows the assigned competencies and required levels according to the e-CF
provided in EN 16234-1.
Table 1 — assigned competencies and required levels according to the e-CF provided in
EN 16234-1
e-CF competence Level
D.8. Contract Management 3
D.9. Personnel Development 3
E.3. Risk management 4
E.4. Relationship Management 4
E.8. Information Security Management 3
Skills
• Analyse personal data processing and evaluate their compliance to applicable legal requirements
• Verify the application of data protection by design and protection by default
• Verify the appropriate application of data protection principles
• Identify roles, responsibilities and legal basis for the processing of personal data
• Contribute to the strategy for the processing and protection of personal data
• Contribute to provision of correct information to data subjects
• Manage the application of codes of conduct and certification applicable to the processing and
protection of personal data
• Ability to communicate
• Analytical skills
10

---------------------- Page: 12 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• Self-management and stress control
• Self-development capacity
• Control capacity
• Persuasion capacity
• Conflict management capacity
• Initiative
• Eligibility for negotiation
• Organization skills
• Perspective thinking
• Planning and scheduling
• Constructive attitude in solving problems
• Tenacity
• S1 - address CPD needs of staff to meet organisational requirements
• S5 - analyse the company critical assets and identify weaknesses and vulnerability to intrusion or
attack
• S19 - anticipate required changes to the organization’s information security strategy and formulate
new plans anticipate required changes to the organization’s information security strategy and
formulate new plans
• S21 - apply mitigation and contingency actions
• S23 - apply relevant standards, best practices and legal requirements for information security
• S40 – coach
• S45 - compose, document and catalogue essential processes and procedures
• S52 - communicate and promote the organization’s risk analysis outcomes and risk management
processes
• S55 - communicate good and bad news to avoid surprises
• S66 - establish a risk management plan to feed and produce preventative action plans
• S91 - ensure that IPR and privacy issues are respected
• S111 - identify competence and skill gaps
• S140 - negotiate contract terms and conditions
• S153 - prepare templates for shared publications
11

---------------------- Page: 13 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• S156 - design and document the processes for risk analysis and management
• S167 - gather internal and external knowledge and information needs
• S171 - make information available
• S172 - address professional development needs of staff to meet organisational requirements
• S176 – observe and deploy effective use of corporate standards for publications
• S187 - develop risk management plan to identify required preventative actions
Knowledge
• The principles of data protection including data protection by design and by default
• The rights of the interested parties provided for by current laws and regulations
• Responsibilities related to the processing of personal data
• Local and European laws on the processing and protection of personal data
• Legal developments related to local and European judicial decisions.
• Legislation on the transfer of personal data abroad and circulation of personal data outside the
EU/EEA
• Data protection impact assessment methodologies
• Possible threats to the protection of personal data
• ISO/IEC technical standards applicable to the management of personal data
• The codes of conduct and the certifications applicable in the matter of processing and protection of
personal data
• Communication techniques and tools (relationship with institutions, authorities, law enforcement
agencies, local authorities and press)
• Cryptographic techniques
• Anonymization techniques
• Pseudonymization techniques
• Monitoring and reporting systems and techniques
• - tools for production, editing and distribution of professional documents
• K49 - competence development methods
• K60 - organization processes including, decision making, budgets and management structure
• K67 - the critical risks for information security management
12

---------------------- Page: 14 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• K71 - the typical KPI (key performance indicators)
• K83 - the potential and opportunities of relevant standards and best practices
• K85 - the return on investment compared to risk avoidance
• K98 - the impact of legal requirements on information security
• K108 - the computer forensics
• K115 - the organization’s security management policy and its implications for engagement with
customers, suppliers and subcontractors
• K122 - the information strategy of the organization
• K130 - good practices (methodologies) and standards in risk analysis
• K132 - the best practices and standards in information security management
• K139 - competence and skill needs analysis methodologies
• K149 - legal regulations applicable to ICT contracts
• K152 - new emerging technologies (e.g. distributed systems, virtualisation models, data sets, mobile
systems)
• K158 - possible security threats
• K161 - challenges related to the size of data sets (e.g. big data)
• K162 - challenges related to unstructured data (e.g. data analytics)
• K180 – cyber-attack techniques and counter measures for avoidance
Area of application of KPIs
• Application of the EU Regulation 2016/679
5.3 Data protection manager professional profile
Short description
2
Is responsible for and coordinates the processing of personal data.
Mission
Coordinates all subjects involved in the processing of personal data, in order to guarantee compliance
with the applicable laws and the achievement and maintenance of the appropriate level of protection, on
the basis of the specific processing of personal data carried out.

2
The definition is different from the “data processor” definition, used in the GDPR (UE 2016/679)
13

---------------------- Page: 15 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
3
Deliverables
Accountable
• Operating procedures for processing and protection of personal data.
• Reports on the overall status of personal data protection (i.e. review).
• Indicators on the protection of personal data.
Responsible
• Budget for the protection of personal data.
• Attribution of responsibilities for processing and protection of personal data.
• Data protection impact assessment.
• Policy for the protection of personal data.
• Requirements for the processing and protection of personal data.
• Technical and organizational measures to ensure data protection by default.
• Preventive consultations.
• Notification of incidents that result in a violation of personal data (to data subjects).
• Data protection notices.
• Answers to data subject exercising their rights.
• Records of processing activities.
• Training, updating and awareness program.
Contributor
4
• Eva
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.