Recent approvals for two codes of conduct by the European Data Protection Board – the body who oversees the GDPR – has reinvigorated this question. The short answer is “No”, the longer answer is “Not yet, but it should be coming soon”, and you should be preparing. In this 5 minute read, I’ll take you through the story so far and what IT leaders and vendors can do to demonstrate compliance and prepare for formal certification.
Vendor marketing claims aside, as of the writing of this post, there is no formal certification for GDPR compliance. BUT the GDPR does set out a process in Article 42 so that certification bodies can submit their schemes for formal approval. Even though the GDPR came into effect in May of 2018, a process to operationalize Art. 42 did not exist till early 2020 with the publication of the approval procedures.
Sidebar: recently, the European Data Protection Board (EDPB) adopted two codes of conduct (CoC) for cloud providers, submitted through the Belgian and French supervisory authorities (SAs) respectively. These codes of conduct may be used as an element to demonstrate compliance but are NOT formal certification.
In 2019, a European Commission (EC) study identified 117 certification schemes and selected 15 for detailed analysis. Similar to CoCs, there are data protection certification mechanisms that “may be used as an element to demonstrate compliance” but are out of scope of Art. 42. These include personal information management systems such as BS 10012, the NIST Privacy Framework and ISO 27701. The latter is an extension of the 27000 ISO series and has been met with glowing support from the CNIL, France’s SA and one of the most active voices within the EDPB.
The EC study highlighted two schemes as potential candidates to provide formal certification against the GDPR: ISDP 10003 from ACCREDIA (Italy) and the European Privacy Seal from EuroPrise (Germany). These mechanisms are able to certify products, processes and services and in the case of Europrise, we’ve been able to follow their progress as they work through the formal approval process with the German regulator and ultimately the EDPB.
Recommendations
- For vendor organizations selling products or providing data services to their clients, choosing ISDP 10003 or the European Privacy Seal enables them to deliver a solution with a certified configuration that can easily or in some instances automatically achieve formal GDPR compliance once a ruling is made by the EDPB.
- For end-user organizations looking at certification to,
- Validate products and/or data services, ensure that you assess the target of evaluation (ToE) against which a certification was achieved. This document defines the products and configurations in scope of the formal assessment process.
- Assess internal procedures when handling personal information, consider BS 10012, the NIST Privacy Framework or ISO 27701 to establish a personal information management system.
Privacy certifications, whether formally approved for GDPR compliance or not, are an excellent approach to support structure in a privacy program and provide a competitive advantage.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
4 Comments
Dear Nader, great piece! How do you evaluate the SOC2 within this spectre? Would you also recommend it for vendor organisations? Thank you
SOC2 (as demonstrated in the framework illustration), like ISO27001 has a far heavier security rather than a privacy focus. So it does support how data is protected and can be used to demonstrate due diligence and due care from that angle, but it doesn’t touch on central themes of data privacy such as purpose of processing, consent, preference management or subject rights.
Good blog on the evolving GDPR situation. Any news on as to which scheme will be selected for vendor organizations, or is there a possibility both may be? Thanks!
I expect a fair few certification schemes will be approved over the years, the process is by no means for the faint hearted, it takes a lot of time and work to receive the green light from (first) your own lead supervisory authority and then the EDPB. Also changes may be required, which really complicates things, because it potentially becomes a brand new certification. For vendors, I expect the scheme to be based on ISO/IEC 17065, most people don’t know that certification schemes follow models defined by ISO/IEC, and 17065 allows certification of a product, process or service, ISDP 10003 and Privacy Seal are both based on 17065.