Requirements for professional profiles related to personal data processing and protection

The standard defines the requirements related to the professional activity of subjects active in the processing and protection of
personal data, namely the intellectual profession that is pursued at different levels of complexity and in different organizational
contexts, both public and private.
These requirements are specified, starting from the specific tasks and activities identified, in terms of knowledge, skills and
competence, in accordance with the European Qualifications Framework - EQF and are expressed in such a way as to facilitate and
contribute to harmonize, as far as possible, evaluation and validation processes of learning outcomes.

Anforderungen an Berufsprofile im Zusammenhang mit der Verarbeitung und dem Schutz personenbezogener Daten

Dieses Dokument definiert die Anforderungen an die berufliche Tätigkeit von Personen, die im Bereich der Verarbeitung und des Schutzes personenbezogener Daten tätig sind, d. h. an den intellektuellen Beruf, der auf verschiedenen Komplexitätsniveaus und in verschiedenen organisatorischen Kontexten, sowohl im öffentlichen als auch im privaten Bereich, ausgeübt wird.
Diese Anforderungen werden ausgehend von den identifizierten spezifischen Aufgaben und Tätigkeiten in Form von Wissen, Fertigkeiten und Kompetenzen in Übereinstimmung mit dem Europäischen Qualifikationsrahmen (EQR) spezifiziert und so ausgedrückt, dass sie die Evaluierungs- und Validierungsprozesse von Lernergebnissen erleichtern und so weit wie möglich zur Harmonisierung beitragen.

Exigences relatives aux profils de professionnels en lien avec le traitement et la protection de données à caractère personnel

Le présent document définit les exigences relatives à l'activité professionnelle des personnes intervenant activement dans le traitement et la protection des données à caractère personnel, à savoir la profession intellectuelle menée à différents niveaux de complexité et dans différents contextes organisationnels, à la fois publics et privés.
Ces exigences sont spécifiées en des termes de connaissances, d'aptitudes et de compétences conformément au cadre européen des certifications (CEC), en commençant par les tâches et activités spécifiques identifiées, et sont exprimées de telle manière à faciliter et contribuer à harmoniser, dans la mesure du possible, les processus d'évaluation et de validation des résultats d'apprentissage.

Zahteve za poklicne profile v zvezi z obdelavo in varovanjem osebnih podatkov

General Information

Status
Not Published
Publication Date
02-Oct-2023
Current Stage
4599 - Dispatch of FV draft to CMC - Finalization for Vote
Start Date
08-Mar-2023
Due Date
22-Nov-2021
Completion Date
08-Mar-2023

Buy Standard

Draft
prEN 17740:2021
English language
52 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN 17740:2021
01-december-2021
Zahteve za poklicne profile v zvezi z obdelavo in varovanjem osebnih podatkov

Requirements for professional profiles related to personal data processing and protection

Anforderungen an Berufsprofile im Zusammenhang mit der Verarbeitung und dem
Schutz personenbezogener Daten

Exigences relatives aux profils de professionnels en lien avec le traitement et la

protection de données à caractère personnel
Ta slovenski standard je istoveten z: prEN 17740
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN 17740:2021 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 17740:2021
---------------------- Page: 2 ----------------------
oSIST prEN 17740:2021
EUROPEAN STANDARD
DRAFT
prEN 17740
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2021
ICS 03.100.30; 35.030
English version
Requirements for professional profiles related to personal
data processing and protection
Anforderungen an Berufsprofile im Zusammenhang
mit der Verarbeitung und dem Schutz
personenbezogener Daten

This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee

CEN/CLC/JTC 13.

If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal

Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any

alteration.

This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A

version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own

language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are

aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification

of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without

notice and shall not be referred to as a European Standard.
---------------------- Page: 3 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Contents Page

European foreword ............................................................................................................................................ 3

Introduction .......................................................................................................................................................... 4

1 Scope .......................................................................................................................................................... 5

2 Normative references .......................................................................................................................... 5

3 Terms and definitions ......................................................................................................................... 5

4 Professional profile tasks and specific activities ...................................................................... 7

5 Knowledge, skills and competencies associated with professional activity ................... 8

6 Elements for the evaluation and validation of learning outcomes ................................... 34

Annex A (informative) Index of skills and knowledge ....................................................................... 37

Annex B (normative) Requirements for professional profiles access .......................................... 50

Bibliography ....................................................................................................................................................... 52

---------------------- Page: 4 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
European foreword

This document (prEN 17740:2021) has been prepared by Technical Committee CEN/CLC/JTC 13

“Cybersecurity and Data protection”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
---------------------- Page: 5 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Introduction

The definition of requirements for professional profiles in the field of processing and protection of

personal data are necessary to establish the fundamental set of knowledges, skills and competences that

distinguish such profiles.

The standard applies to the professional profiles in the identified area, regardless of the working methods

and type of employment relationship. Tasks and activities related to the profession are described on the

basis of all functions actually performed by professionals working in the field of processing and

protection of personal data in different work contexts. These functions are varied and concern technical,

administrative, cultural, scientific and legal aspects.

This standard adopts the reference European framework for the definition of competences and related

skills: EN 16234-1. For related ICT-oriented profiles, such as for example the system administrator,

please refer to CEN CWA 16458-1.

The profiles defined in this standard are not intended to be exhaustive and are applicable regardless of

the work placement of the subjects operating in the sector.

The main intended audience of this standard comprises professionals seeking guidance regarding their

professional development, enterprises defining their internal data protection organization and related

hiring requirements, bodies providing personnel training, accreditation and certification services.

Methodological approach

Within the development of this standard the principles and indications set out in Recommendation 2008

/ C111 / 01 (European Qualification Framework - EQF) and Recommendation 2009 / C 155/02

(European Credit System for Vocational Education and Training - ECVET) were first considered.

From a methodological point of view, it was established in particular that:

• the basic terms and definitions (Clause 3) adopted are, for the most part, derived from the EQF,

ECVET and the relevant terminology commonly used in the European Community;

• the specific terms and definitions of the subject “protection of personal data” are consistent with

those set out in EU 2016/679 Regulation;

• for the description of the requirements of knowledge, skills and competence of a specific professional

profile, it is necessary to start from a preliminary identification of the tasks and specific activities of

the professional profile (Clause 4);

• the requirements of the specific professional profile are defined in terms of knowledge, skills and

competence (Clause 5) and the personal ability expected have also been identified, as far as

applicable. An indication of the levels associated with the specific professional activity, using the e-

CF levels which are directly mapped to the ones within the European Qualifications Framework

(EQF), is also provided;

• the useful elements regarding the applicable assessment methods are defined (Clause 7). These

elements have been developed taking into due consideration what already consolidated within

voluntary technical standardization, also with reference to the normative corpus concerning the

conformity assessment (EN ISO/IEC 17000 series);

• in Appendix A (normative) skills and knowledges applicable to the development of the profiles are

listed;

• in Appendix B (normative) requirements for access to professional profiles are defined.

Furthermore, as far as relevant, the guidelines specified in the CEN Guide 14 were also followed.

---------------------- Page: 6 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
1 Scope

This document defines the requirements related to the professional activity of persons active in the

processing and protection of personal data, namely the intellectual profession that is pursued at different

levels of complexity and in different organizational contexts, both public and private.

These requirements are specified, starting from the specific tasks and activities identified, in terms of

knowledge, skills and competence, in accordance with the European Qualifications Framework - EQF and

are expressed in such a way as to facilitate and contribute to harmonize, as far as possible, evaluation and

validation processes of learning outcomes.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

EN 16234-1, e-Competence Framework (e-CF) - A common European Framework for ICT Professionals in

all sectors - Part 1: Framework

EN ISO/IEC 27000, Information technology - Security techniques - Information security management

systems - Overview and vocabulary

EN ISO/IEC 29100, Information technology – Security techniques – Privacy framework

ISO/IEC 17024, Conformity assessment — General requirements for bodies operating certification of

persons
CWA 16458-3, European ICT Professional Role Profiles – Part 3: Methodology
3 Terms and definitions

For the purposes of this document, the terms and definitions given in EN 16234-1, EN ISO/IEC 27000,

EN ISO/IEC 29100 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
formal learning

learning process deriving from training activities, intentional and structured, carried out by entities /

institutions of education and training recognized by a competent authority

Note 1 to entry: Formal learning can involve the issues of certificate with legal value.

3.2
informal learning

learning process deriving from work experiences, from family life and also from leisure time

Note 1 to entry: Informal learning is not a deliberately structured activity and sometimes learning is not intentional.

---------------------- Page: 7 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
3.3
non-formal learning

learning process resulting from training activities, intentional and structured, implemented in any field

other than formal
Note 1 to entry: Such a training does not issue a certificate with legal value.
3.4
audit

Systematic, independent and documented process for obtaining audit evidence (records, statements of

facts or other relevant and verifiable information) and evaluating them objectively, in order to establish

to what extent the audit criteria (policies, procedures or requirements used as a reference) have been

met
3.5
validation of learning outcomes

process confirming that certain assessed learning outcomes, obtained by a learner, correspond to the

results required for a specified qualification or part of it

Note 1 to entry: to entry: Certification, in accordance with ISO/IEC 17024, is an evaluation and validation process.

Note 2 to entry: to entry: The recognition of learning outcomes, according to defined rules, by subjects or other

organizations in charge, is also a process of evaluation and validation.
3.6
Privacy Impact Assessment (PIA)

overall process of identification, analysis, evaluation, consultation, communication and planning of the

processing of potential privacy impacts in the processing of personal data, contextualized within the

overall company framework for risk management
[SOURCE: ISO/IEC 29134]
3.7
Privacy Level Agreement (PLA)

level of protection of personal data guaranteed by a supplier in the provision of services to its customers,

conceptually similar to an SLA
3.8
Qualification

formal result of an assessment and validation process, obtained when a competent and impartial

organization states that the learning outcomes of an individual are compliant with technical standards

Note 1 to entry: to entry: Definition adapted from the EQF, Annex I, definition a).

3.9
Results of learning

description of what a person knows, understands and is able to do at the end of a learning process

Note 1 to entry: to entry: The results are described in terms of knowledge, skills and competences.

Note 2 to entry: to entry: Learning outcomes can derive from formal, non-formal or informal learning.

---------------------- Page: 8 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
3.10
Service Level Agreement (SLA)

document that defines the technical support or business performance objectives, including measures for

performance and consequences for failure the provider of a service can provide its clients

[SOURCE: ISO/IEC 27039]
3.11
Evaluation of learning outcomes

methods and processes used to define the extent to which a person has effectively achieved one specific

knowledge, skill or competence
4 Professional profile tasks and specific activities
4.1 General

The professional operating in the processing and protection of personal data performs a wide range of

activities, frequently transversal to other business processes, both with respect to the life cycle of the

processing - from design to cessation - and with respect to the examined topics, technological,

organizational, legal or otherwise.

The professional working in the field of processing and protection of personal data thus contributes to

the management or the verification of a more or less extensive set of processes and information systems

involved in the processing of personal data, on behalf of natural or legal persons, such as entities,

institutions, associations, public or private. Legal entities of different sizes may decide either to collapse

related professional profiles into one (e.g. data protection manager and data protection specialist or a

data protection auditor with another auditor) or to have several instances of the same profile within

different responsibility areas, such as geographical or organizational ones. In all cases the separation

between control-related profiles like auditor and data protection officer and the other ones should be

preserved.

At the time of publication of this standard, the maintenance, updating and development of the skills

necessary for the professional activity of the subjects, operating in the processing and protection of

personal data, are not subject to a detailed training path herewith defined. The professional is however

required to follow autonomous or guided paths of continuous professional updating, consistent with the

provisions of paragraph 6.4 and Appendix B.

NOTE: if professionals have already followed previous training courses, not aligned with the indications

of this standard, the certification body will most likely need carry out an analytical comparison between

the path already followed by the candidate for certification and the path illustrated in this standard,

assuming the relative responsibilities.
4.2 Introduction to professional profiles

A series of considerations of an introductory nature and preliminary to the description of the main

professional profiles, referred to in Clause 6 of this standard, is listed below in order to facilitate their

understanding.
Data protection officer

It is a profile corresponding to the professional profile described in EU Regulation 2016/679, art. 39. It is

possible to assign to the profile different tasks and other tasks included in other managerial level profiles,

if no conflict of interest is present.
---------------------- Page: 9 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Data protection manager

It is a profile corresponding to professionals with a very high level of knowledge, skills and competences

in a specific organizational context (both a functional area of the organization and a specific sector), to

ensure the adoption of appropriate organizational measures in the processing of personal data.

Data protection specialist

It is a profile corresponding to professionals able to support the Data protection officer and / or the Data

protection manager in developing the appropriate technical and organizational measures for the

processing of personal data.
Data protection engineer

It is a profile corresponding to professionals who are designing and building systems that process

personal data, who have a specialist knowledge of, and responsibility for, related data protection issues.

They can work alongside other software and systems engineers and related technical disciplines, as well

as with other data protection-devoted profiles in an organization both developing and operating those

systems.
Data protection auditor

It is a profile corresponding to independent professionals with knowledge and skills in the IT /

technology sector and legal / organizational activities, able to carry out processing and protection of

personal data, which can still make use of data protection specialists in both areas to carry out audit

assignments.

4.3 Tasks and activities of the professional operating in the processing and protection of

personal data

The profile of the professional operating in the field of processing and protection of personal data

includes a series of fundamental tasks which, without pretending exhaustiveness, are described in the

following Clause 5 (see item “Main tasks”).

A professional operating in the processing and protection of personal data are intended as a person who

has a profile that complies with the aforementioned tasks, and performs, or has the necessary

preparation, to achieve the “Expected Results”.
5 Knowledge, skills and competencies associated with professional activity
5.1 General

Each professional profile in this chapter is structured with a short description synthesizing it, the pursued

mission, the deliverables of which they are accountable, responsible or contributor, the specific

performed main tasks, competences defined according to EN 16234-1 and CWA 16458-3 are identified

within the “Competences e-CF” section with related skills and knowledge and the KPIs measuring their

performance.
5.2 Data protection officer professional profile
Short description
Advises Controllers or Processors for the application of EU Regulation 2016/679.
Mission

Advises Controllers or Processors with respect to the risks of data processing activities to ensure

compliance with EU Regulation 2016/679 and other local data protection provisions.

---------------------- Page: 10 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Deliverables
Accountable

• Regular risk-based reports on compliance with laws regarding personal data protection.

• Documentation in support of the request for consultation addressed to data protection authorities,

according to the development of data protection impact assessment pursuant to Regulation

2016/679.

• Requests for consultation with data protection authorities on specific application issues.

• Documentation supporting the interface with the data protection authorities (requests for

information, assessment procedures or testing etc.).

• Documentation (including forms) supporting the interface with the interested parties.

• Indicators on the protection of personal data.

• Advice with respect to inquiries regarding data protection law and its application.

• Responsible

• Opinions on data protection impact assessments pursuant to Regulation 2016/679.

Contributor

• Attribution of responsibilities in the processing and protection of personal data.

• Budget for the protection of personal data.
• Policy for the protection of personal data.
• Data protection notices.
• Requirements for the processing and protection of personal data.
• Operating procedures for processing and protection of personal data.
• Development of a Data protection impact assessment.
• Evaluation of the risk related to information security.
• Risk management plan related to information security.
• Codes of conduct.
• Answers to data subject exercising their rights.
• Audit program for the protection and processing of personal data.
• Training program, professional development and awareness.

Please note that all professional profiles herewith described are not related to legal responsibilities, but only to

operating responsibilities.
---------------------- Page: 11 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)

• Notification of incidents that result in a violation of personal data (to data protection authorities).

Main tasks

• inform and provide advice to the controller and processor, as well as to employees involved in

processing of personal data, about the obligations arising from this Regulation as well as from other

Union or Member State data protection provisions;

• monitor compliance with the Regulation, other Union or Member State provisions on data protection

and the policies of the controller or data controller, regarding the protection of personal data,

including the assignment of responsibilities, the awareness and training of personnel involved in the

processing and related control activities;

• provide, if requested, an opinion on the impact assessment on data protection and monitor its

performance;
• cooperate with the supervisory authority;

• act as a contact point for the supervisory authority for matters related to processing.

The following Table 1 shows the assigned competencies and required levels according to the e-CF

provided in EN 16234-1.

Table 1 — assigned competencies and required levels according to the e-CF provided in

EN 16234-1
e-CF competence Level
D.8. Contract Management 3
D.9. Personnel Development 3
E.3. Risk management 4
E.4. Relationship Management 4
E.8. Information Security Management 3
Skills

• Analyse personal data processing and evaluate their compliance to applicable legal requirements

• Verify the application of data protection by design and protection by default
• Verify the appropriate application of data protection principles

• Identify roles, responsibilities and legal basis for the processing of personal data

• Contribute to the strategy for the processing and protection of personal data
• Contribute to provision of correct information to data subjects

• Manage the application of codes of conduct and certification applicable to the processing and

protection of personal data
• Ability to communicate
• Analytical skills
---------------------- Page: 12 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• Self-management and stress control
• Self-development capacity
• Control capacity
• Persuasion capacity
• Conflict management capacity
• Initiative
• Eligibility for negotiation
• Organization skills
• Perspective thinking
• Planning and scheduling
• Constructive attitude in solving problems
• Tenacity
• S1 - address CPD needs of staff to meet organisational requirements

• S5 - analyse the company critical assets and identify weaknesses and vulnerability to intrusion or

attack

• S19 - anticipate required changes to the organization’s information security strategy and formulate

new plans anticipate required changes to the organization’s information security strategy and

formulate new plans
• S21 - apply mitigation and contingency actions

• S23 - apply relevant standards, best practices and legal requirements for information security

• S40 – coach
• S45 - compose, document and catalogue essential processes and procedures

• S52 - communicate and promote the organization’s risk analysis outcomes and risk management

processes
• S55 - communicate good and bad news to avoid surprises

• S66 - establish a risk management plan to feed and produce preventative action plans

• S91 - ensure that IPR and privacy issues are respected
• S111 - identify competence and skill gaps
• S140 - negotiate contract terms and conditions
• S153 - prepare templates for shared publications
---------------------- Page: 13 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• S156 - design and document the processes for risk analysis and management
• S167 - gather internal and external knowledge and information needs
• S171 - make information available

• S172 - address professional development needs of staff to meet organisational requirements

• S176 – observe and deploy effective use of corporate standards for publications

• S187 - develop risk management plan to identify required preventative actions
Knowledge

• The principles of data protection including data protection by design and by default

• The rights of the interested parties provided for by current laws and regulations

• Responsibilities related to the processing of personal data
• Local and European laws on the processing and protection of personal data
• Legal developments related to local and European judicial decisions.

• Legislation on the transfer of personal data abroad and circulation of personal data outside the

EU/EEA
• Data protection impact assessment methodologies
• Possible threats to the protection of personal data
• ISO/IEC technical standards applicable to the management of personal data

• The codes of conduct and the certifications applicable in the matter of processing and protection of

personal data

• Communication techniques and tools (relationship with institutions, authorities, law enforcement

agencies, local authorities and press)
• Cryptographic techniques
• Anonymization techniques
• Pseudonymization techniques
• Monitoring and reporting systems and techniques
• - tools for production, editing and distribution of professional documents
• K49 - competence development methods

• K60 - organization processes including, decision making, budgets and management structure

• K67 - the critical risks for information security management
---------------------- Page: 14 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
• K71 - the typical KPI (key performance indicators)
• K83 - the potential and opportunities of relevant standards and best practices
• K85 - the return on investment compared to risk avoidance
• K98 - the impact of legal requirements on information security
• K108 - the computer forensics

• K115 - the organization’s security management policy and its implications for engagement with

customers, suppliers and subcontractors
• K122 - the information strategy of the organization
• K130 - good practices (methodologies) and standards in risk analysis
• K132 - the best practices and standards in information security management
• K139 - competence and skill needs analysis methodologies
• K149 - legal regulations applicable to ICT contracts

• K152 - new emerging technologies (e.g. distributed systems, virtualisation models, data sets, mobile

systems)
• K158 - possible security threats
• K161 - challenges related to the size of data sets (e.g. big data)
• K162 - challenges related to unstructured data (e.g. data analytics)
• K180 – cyber-attack techniques and counter measures for avoidance
Area of application of KPIs
• Application of the EU Regulation 2016/679
5.3 Data protection manager professional profile
Short description
Is responsible for and coordinates the processing of personal data.
Mission

Coordinates all subjects involved in the processing of personal data, in order to guarantee compliance

with the applicable laws and the achievement and maintenance of the appropriate level of protection, on

the basis of the specific processing of personal data carried out.

The definition is different from the “data processor” definition, used in the GDPR (UE 2016/679)

---------------------- Page: 15 ----------------------
oSIST prEN 17740:2021
prEN 17740:2021 (E)
Deliverables
Accountable
• Operating procedures for processing and protection of personal data.
• Reports on the overall status of personal data protection (i.e. review).
• Indicators on the protection of personal data.
Responsible
• Budget for the protection of personal data.

• Attribution of responsibilities for processing and protection of personal data.

• Data protection impact assessment.
• Policy for the protection of personal data.
• Requirements for the processing and protection of personal data.
• Technical and organizational measures to ensure data protection by default.
• Preventive consultations.

• Notification of incidents that result in a violation of personal data (to data subjects).

• Data protection notices.
• Answers to data subject exercising their rights.
• Records of processing activities.
• Training, updating and awareness program.
Contributor
• Eva
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.