GDPR certification: The principal tool to demonstrate personal data protection compliance (Part 2)
by Vasiliki Tsiompanidou, Adrián Quesada Rodríguez, Anna Brékine, Renata Radocz, Sébastien Ziegler and Ana María Pacheco (IoT Lab)
As already established, a GDPR Certification is the optimal solution to ensure compliance with legal requirements and inspire confidence in data processing activities. Nonetheless, choosing a suitable certification scheme that will ensure the goals are sufficiently met is not always an easy process. In this context, Europrivacy is the certification scheme that offers precisely those benefits necessary leading to an effective GDPR certification.
GDPR Certification
As previously explained, a GDPR Certification encompasses the data protection certification, seals and marks that demonstrate that their processing operations, controllers and processors are compliant with the privacy requirements provided for by EU legislation and is, thus, the best means to not only ensure compliance but also to increase citizens’ trust. It is, therefore, essential that a trustworthy certification scheme is utilised to accomplish the goals embedded in the acquisition of a GDPR certification.
How to choose a certification scheme?
When choosing a certification scheme, it is of utmost importance to find a suitable one, that will lead the certification process smoothly and effectively. As a result, it is essential that the certification scheme chosen meets at least the following prerequisites [1]:
- It has sufficient expertise in data protection and privacy operations.
- It is respected by the community.
- It meets the criteria set out by the respective supervisory authority.
- It covers a vast array of data protection requirements and data processing activities, so that it meets the individual needs of each applicant.
- It provides a comprehensive solution, having developed adequate procedures to manage not only the certification scheme, but also individual requests.
- It is time and cost efficient.
The above serve as a sufficient baseline in the road to an effective certification and each prospective applicant should bear them in mind during the road towards certifying their activities. Nonetheless, the question remains, among the multitude of certification schemes arising, which one stands out?
GDPR certification scheme: Europrivacy
Europrivacy [2] is a certification scheme developed through the European research programme for assessing the compliance of data processing activities with the GDPR. It is managed by the European Centre for Certification and Privacy (ECCP) in Luxembourg and maintained by the Europrivacy International Board of Experts.
Notwithstanding the intricate link between Europrivacy certification and the GDPR, Europrivacy has taken a step forward integrating complementary regulations and requirements, including non-EU regulations on data protection. Europrivacy has additionally considered national data protection obligations that may introduce a differentiated framework for each applicant and, thus, should be taken into account for compliance purposes.
Europrivacy has been developed aiming at the following:
- To reduce legal and financial risks through a systematic gap analysis.
- To demonstrate data protection compliance through an impartial body and procedure.
- To provide continuous support to maintain and enhance compliance as regulations evolve.
Why choose Europrivacy?
Europrivacy has managed to differentiate its scheme from other players in the market and establish itself as a lead certification scheme thanks to a number of reasons [3], including:
- It is comprehensive, as it is European and GDPR by design, yet extensible to national, non-European and domain-specific obligations. Covering a large set of data processing activities, it is also applicable to emerging technologies.
- It is continuously updated, taking into consideration the latest regulatory developments.
- It is highly reliable thanks to a systematic assessment approach.
- It is ISO compliant, without compromising the impartiality of its procedures.
- It is independent and managed by an International Board of Experts.
- It is supported by a global network of experts and partners.
- It offers a series of online resources and tools to assist in all stages of the certification process.
- It is research and innovation empowered.
- It is time and cost efficient.
Taking the above into consideration, Europrivacy can effectively assist interested parties to identify and reduce legal and potentially financial risks, while validating data protection compliance. As a result, it constitutes a competitive advantage as reputation and access to the market is improved, along with trust and confidence.
Europrivacy certification procedure
Europrivacy offers a simple and thorough certification procedure, that can guide prospective applicants from the start and assist them to maintain the benefits throughout their operations’ lifecycle. In particular, the process can be summarised as follows [4]:
- Request a Europrivacy Welcome Pack.
- Communicate your commitment to protecting personal data (Privacy Pact).
- Document compliance with the support of qualified partners and tools.
- Choose a Certification Body to assess compliance and report any residual non-conformities to be addressed.
- Demonstrate conformity with an authenticated Europrivacy Certificate.
- Monitor compliance and update your certification every three years.
Of course, the ECCP can assist potential applicants to find experts that will assist and support them throughout their journey to certification, ensuring a time-saving procedure. Applicants can alternatively directly apply through the Europrivacy website (https://europrivacy.org/), while all parties can have access to the Europrivacy Community website [6] where they can find a series of additional resources, tools and materials to further facilitate the procedure.
TRUSTaWARE can, in par with the Europrivacy certification, identify, prevent, and mitigate the impact of Security and Privacy threats and facilitate the road to GDPR certification and compliance altogether, providing a comprehensive solution covering all elements to a robust data protection framework.
References
[1] European Data Protection Board, Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation, 2019, available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf.
[2] Europrivacy, About & Policies, available at: https://europrivacy.org/en/about
[3] Europrivacy, Europrivacy Benefits and Advantages, available at: https://europrivacy.org/en/ep/benefits
[4] Europrivacy, Certification Process, available at: https://europrivacy.org/en/ep/certification-process
[5] Europrivacy, Apply to Certification, available at: https://europrivacy.org/en/contact/apply-certification [6] Europrivacy Community website, available at: https://community.europrivacy.com/