GDPR certification: The principal tool to demonstrate personal data protection compliance (Part 1)
by Vasiliki Tsiompanidou, Adrián Quesada Rodríguez, Anna Brékine, Renata Radocz, Sébastien Ziegler and Ana María Pacheco (IoT Lab)
Following the adoption of the General Data Protection Regulation (GDPR), the importance of data protection and privacy is constantly increasing both for EU citizens and entreprises operating in the Union. In this privacy-centric environment, we present how and why a GDPR certification is an optimal solution to demonstrate compliance and increase trust in a business’ operations.
What is a GDPR Certification and which are the criteria?
Ever since the General Data Protection Regulation (GDPR) [1] entered into force in 2018, personal data protection and privacy have reprised a crucial role in the Union’s citizens’ lives who are becoming growingly aware of what data they share, with whom and how that data is being used [2]. At the same time, National Data Protection Authorities are seemingly not hesitating at imposing massive fines on entities violating the GDPR [3].
It is, thus, understandable that more and more businesses are shifting their focus to ensuring that their customers feel confident in trusting them with their personal data employing all means possible, from a robust data protection policy to a safer cybersecurity framework [4]. One of the most prominent measures to demonstrate compliance, as prescribed by the GDPR and as already increasingly adopted by businesses, is through GDPR certification. But, what exactly is a GDPR certification and how can it assist with GDPR compliance?
GDPR certification
Article 42 of the GDPR provides the opportunity for businesses of all levels and sizes to acquire data protection certification, seals and marks in order to demonstrate the compliance of their processing operations, as well as their controllers and processors with the privacy requirements laid out in the law. Such certification granted may additionally cover the legitimacy of data transfers to countries outside the EU, where appropriate.
When certifying processing operations, the certification body shall take into consideration and control against the certification criteria the following: the applicant’s involving personal data, the technical systems used, as well as the processes and procedures in place to manage the processing operations.
Certification Body
Along with the Data Protection Authorities, only certification bodies with a sufficient level of expertise in the data protection sector who have been accredited by the supervisory authority based on the criteria provided for in Article 43 of the GDPR are allowed to issue and renew GDPR certification, seals and marks.
Certification bodies can be accredited only if they demonstrate that:
- They are independent and possess sufficient expertise in relation to the subject-matter of the certification.
- They have undertaken to respect the respective criteria set out by the supervisory authority.
- They have established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks.
- They have established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public.
- They have demonstrated that their tasks and duties do not result in a conflict of interests.
Choosing a trustworthy certification body is essential when deciding to proceed to a GDPR certification, as the quality of the certification scheme and its positive image in the market shall determine the level of trust inspired in the consumers, other businesses and partners.
Duration and renewal of certification
Certification granted by a certification body can have a maximum duration of three years. Of course, it can be renewed under the same conditions, as long as the criteria are still met. If the conditions are not met, certification shall be withdrawn, either by the Certification Body or the Supervisory Authority.
GDPR certification core criteria
Even though each certification body can define the precise list of criteria for certification based on how comprehensive they wish their scheme to be and the desired scope, the European Data Protection Board has laid down a minimum that they must contain, namely including [5]:
- The lawfulness of processing.
- Compliance with the general data protection principles.
- Protection of the data subjects’ rights.
- Compliance with the obligation to notify data breaches.
- Compliance with the principle of data protection by design and by default.
- The necessity and conduction of a Data Protection Impact Assessment.
- The technical and organizational measures in place.
GDPR certification and security
A comprehensive data protection framework is not complete without adequate security mechanisms in place, as part of the technical and organizational measures, so as to ensure that personal data is immune against cyberthreats and other related risks. TRUSTaWARE focuses on providing precisely those solutions that will identify, prevent, and mitigate the impact of the various Security and Privacy threats associated with citizen’s digital activities and facilitate the road to GDPR certification and compliance altogether.
References
[1] European Commission, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016, available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[2] European Data Protection Board, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation, 2019, available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf.
[3] European Commission, How do EU citizens manage their personal data online?, 2021, available at: https://ec.europa.eu/eurostat/web/products-eurostat-news/-/edn-20210128-1.
[4] Eurostat, Privacy and protection of personal data (2020 onwards), last amended in 2022 available at: https://ec.europa.eu/eurostat/databrowser/view/isoc_cisci_prv20/default/table?lang=en.
[5] Enforcement Tracker, GDPR Enforcement Tracker – list of GDPR fines, last amended in June 2022 available at: https://www.enforcementtracker.com/?insights.