Blog post

Is there such a thing as “GDPR compliant”?

By Nader Henein | May 27, 2021 | 4 Comments

Recent approvals for two codes of conduct by the European Data Protection Board – the body who oversees the GDPR – has reinvigorated this question. The short answer is “No”, the longer answer is “Not yet, but it should be coming soon”,  and you should be preparing. In this 5 minute read, I’ll take you through the story so far and what IT leaders and vendors can do to demonstrate compliance and prepare for formal certification.

Vendor marketing claims aside, as of the writing of this post, there is no formal certification for GDPR compliance. BUT the GDPR does set out a process in Article 42 so that certification bodies can submit their schemes for formal approval. Even though the GDPR came into effect in May of 2018, a process to operationalize Art. 42 did not exist till early 2020 with the publication of the approval procedures.

Sidebar: recently, the European Data Protection Board (EDPB) adopted two codes of conduct (CoC) for cloud providers, submitted through the Belgian and French supervisory authorities (SAs) respectively. These codes of conduct may be used as an element to demonstrate compliance but are NOT formal certification.

In 2019, a European Commission (EC) study identified 117 certification schemes and selected 15 for detailed analysis. Similar to CoCs, there are data protection certification mechanisms that “may be used as an element to demonstrate compliance” but are out of scope of Art. 42. These include personal information management systems such as BS 10012, the NIST Privacy Framework  and ISO 27701. The latter is an extension of the 27000 ISO series and has been met with glowing support from the CNIL, France’s SA and one of the most active voices within the EDPB. 

The EC study highlighted two schemes as potential candidates to provide formal certification against the GDPR: ISDP 10003 from ACCREDIA (Italy) and the European Privacy Seal from EuroPrise (Germany). These mechanisms are able to certify products, processes and services and in the case of Europrise, we’ve been able to follow their progress as they work through the formal approval process with the German regulator and ultimately the EDPB. 

Recommendations

  • For vendor organizations selling products or providing data services to their clients, choosing ISDP 10003 or the European Privacy Seal enables them to deliver a solution with a certified configuration that can easily or in some instances automatically achieve formal GDPR compliance once a ruling is made by the EDPB. 
  • For end-user organizations looking at certification to, 
    • Validate products and/or data services, ensure that you assess the target of evaluation (ToE) against which a certification was achieved. This document defines the products and configurations in scope of the formal assessment process.
    • Assess internal procedures when handling personal information, consider BS 10012, the NIST Privacy Framework  or ISO 27701 to establish a personal information management system. 

Privacy certifications, whether formally approved for GDPR compliance or not, are an excellent approach to support structure in a privacy program and provide a competitive advantage.

Comments are closed

4 Comments

  • Dear Nader, great piece! How do you evaluate the SOC2 within this spectre? Would you also recommend it for vendor organisations? Thank you

    • Nader Henein says:

      SOC2 (as demonstrated in the framework illustration), like ISO27001 has a far heavier security rather than a privacy focus. So it does support how data is protected and can be used to demonstrate due diligence and due care from that angle, but it doesn’t touch on central themes of data privacy such as purpose of processing, consent, preference management or subject rights.

  • Hannah says:

    Good blog on the evolving GDPR situation. Any news on as to which scheme will be selected for vendor organizations, or is there a possibility both may be? Thanks!

    • Nader Henein says:

      I expect a fair few certification schemes will be approved over the years, the process is by no means for the faint hearted, it takes a lot of time and work to receive the green light from (first) your own lead supervisory authority and then the EDPB. Also changes may be required, which really complicates things, because it potentially becomes a brand new certification. For vendors, I expect the scheme to be based on ISO/IEC 17065, most people don’t know that certification schemes follow models defined by ISO/IEC, and 17065 allows certification of a product, process or service, ISDP 10003 and Privacy Seal are both based on 17065.