The EDPB (European Data Protection Board) guidance on certification and accreditation was published in the final version a year ago on the basis of Articles 42 and 43 of the GDPR. At the EU level, there has not been yet a European data protection seal approved by the EDPB (European Data Protection Board), while at the national level, some developments are now starting to emerge. A comprehensive initiative is coming from the Luxembourg supervisory authority, which developed certification criteria and a certification mechanism based on the International Standard on Assurance Engagements, which was originally destined for auditors and accountants. Other data protection certifications established before GDPR are being updated and submitted for approval by the national supervisory authorities. Much of the delay is due to the uncertainties of the GDPR articles regarding key aspects of the mechanisms in combination with the novelty of certification for the European data protection law that is accompanied with a lack of experience and know-how.
Certification under the GDPR is voluntary
While indeed the GDPR certification is voluntary, as explicitly provided in Articles 42 and 43 of the GDPR, meaning that a controller or processor is not obliged to apply for certification, certification is not entirely free from legal consequences. Once a controller or processor applies to an accredited certification body for certification and successfully goes through the certification process, there is a contractual relationship established between the certification body and the controller or processor. The certification agreement is a legally enforceable agreement that ensures that the controller or processor continues to fulfill the criteria and requirements of the granted certification throughout its duration. The obligations under the certification agreement are independent to the obligations of the controller or processor to comply with the GDPR, even though some overlap is expected depending on the scope of certification.
Persons, products and management systems can be certified
Articles 42 and 42 determines that processing activities should be certified under the data protection certification mechanisms. When it comes to products and systems, the situation is not as straightforward as with the DPO certification. Products and systems cannot be certified as such for being GDPR compliant, but they are part of the evaluation for awarding the certification for data-processing activities. For example, a processor that has applied to have its data storing certified needs also to show to the certifying entity that its information-security management system provides all the necessary guarantees for a secure data storing. This is where a certification of an information-security management system might be useful.
GDPR certified means GDPR compliant
This is a common misconception. Once a controller or processor has its processing certified under a data protection certification mechanism, there is still no presumption of conformity with the legal obligations. In other fields, such as the EU legal framework for product safety, when a producer has its product conforming to harmonized standards, it’s presumed they comply with the relevant EU directive. Under the GDPR, certification plays a different role. That is to help the controller or processor show to the supervisory authorities the technical and organizational measures taken to comply with the GDPR legal obligations. The assessment by the certifying body (either a DPA or certification body) that a processing is in line with the certification criteria is not a definite assessment of compliance with the GDPR. Rather, it helps showing that an organization has its “management system in order” and dedicated considerable effort and resources for it, which is an element of accountability.
Certification to ISO standards is GDPR certification
It is important to draw a distinction between certifications on the one hand and ISO standards on the other. Technical and management standards, such as the ones developed by international or European standards organizations, including the well-known information security standard ISO/IEC 27001 or the new ISO/IEC 27701 on the Privacy Information Management Systems, are not necessarily part of a GDPR certification mechanism but might be useful. They are directed toward management systems and have a risk-management approach. Nevertheless, such standards can be a very useful building block in a data-protection-certification mechanism, as they are widely used, and the state of the art and conformity experience are potentially important added values to the development of a new data-protection mechanism.