Recent approvals for two codes of conduct by the European Data Protection Board – the body who oversees the GDPR – has reinvigorated this question. The short answer is “No”, the longer answer is “Not yet, but it should be coming soon”, and you should be preparing. In this 5 minute read, I’ll take you through the story so far and what IT leaders and vendors can do to demonstrate compliance and prepare for formal certification.
Vendor marketing claims aside, as of the writing of this post, there is no formal certification for GDPR compliance. BUT the GDPR does set out a process in Article 42 so that certification bodies can submit their schemes for formal approval. Even though the GDPR came into effect in May of 2018, a process to operationalize Art. 42 did not exist till early 2020 with the publication of the approval procedures.
Sidebar: recently, the European Data Protection Board (EDPB) adopted two codes of conduct (CoC) for cloud providers, submitted through the Belgian and French supervisory authorities (SAs) respectively. These codes of conduct may be used as an element to demonstrate compliance but are NOT formal certification.
In 2019, a European Commission (EC) study identified 117 certification schemes and selected 15 for detailed analysis. Similar to CoCs, there are data protection certification mechanisms that “may be used as an element to demonstrate compliance” but are out of scope of Art. 42. These include personal information management systems such as BS 10012, the NIST Privacy Framework and ISO 27701. The latter is an extension of the 27000 ISO series and has been met with glowing support from the CNIL, France’s SA and one of the most active voices within the EDPB.
The EC study highlighted two schemes as potential candidates to provide formal certification against the GDPR: ISDP 10003 from ACCREDIA (Italy) and the European Privacy Seal from EuroPrise (Germany). These mechanisms are able to certify products, processes and services and in the case of Europrise, we’ve been able to follow their progress as they work through the formal approval process with the German regulator and ultimately the EDPB.
- For vendor organizations selling products or providing data services to their clients, choosing ISDP 10003 or the European Privacy Seal enables them to deliver a solution with a certified configuration that can easily or in some instances automatically achieve formal GDPR compliance once a ruling is made by the EDPB.
- For end-user organizations looking at certification to,
- Validate products and/or data services, ensure that you assess the target of evaluation (ToE) against which a certification was achieved. This document defines the products and configurations in scope of the formal assessment process.
- Assess internal procedures when handling personal information, consider BS 10012, the NIST Privacy Framework or ISO 27701 to establish a personal information management system.
Privacy certifications, whether formally approved for GDPR compliance or not, are an excellent approach to support structure in a privacy program and provide a competitive advantage.