What does it mean to “certify” under the GDPR? The certification of products, services, and privacy programs under GDPR is detailed in article 42 and 43. There are two different types of certification: Self-certification, and certification by a third party.While self-certification is not an official certification required by, or provided for in, the GDPR, it can be a very valuable tool in demonstrating compliance, and reporting to the DPA should they have questions.
At Nymity, we believe that certification is mostly intended for internal use, and that seals and trust marks are used for the purpose of public information. Ideally, the primary seal would be the European Data Protection Seal. There is some concern surrounding the risk of proliferation of seals and trust marks leading to a loss of consumer trust in these types of certifications.
Article 42 GDPR states that certification needs to be both voluntary and transparent, and issued for a maximum of three years, based on full information and access. A third party certification body, under article 43 GDPR, needs to be accredited with the DPA or a national accreditation body, as well as independent and backed by sufficient expertise on data protection issues. They will need to comply with a number of procedures surrounding how to issue and review certifications, and how to deal with certificate infringement.
Accountability and Certification
Nymity believes that the certification process for a full privacy program begins with accountability. An accountable organisation has a privacy program, and the documentation in place in the event of a review by a third party. This third party can issue certification for the privacy officer or DPO, who can use the certification for audits and inspections.To this end, Nymity developed the Compliance Capacity report. A Compliance Capacity Report can be helpful in preparing for the certification process, as there are many elements of a privacy program that will need to be in order prior to applying for certification. A Compliance Capacity Report:
- Ties the technical and organisational measures that are maintained to the relevant provisions of the law.
- Reflects the organisation’s structured approach to recording appropriate technical and organisational measures (collected evidence, questions, and owners).
- Could be generated for the organisation as a whole, and for one or more departments.
- Could be generated automatically at set intervals, or as needed.
Once your organisation has developed your compliance capacity report, your privacy officer or the DPO can verify the information in the report and confirm that all the evidence is correct and up-to-date. The report would then be sent (electronically or physically) to the third party compliance monitor for review, and they will verify the organisation’s capacity to comply. It is unclear at this time whether certification will require on-the-spot checks. For more information on Nymity’s Compliance Capacity Report, read our recent blog post, “Demonstrating Compliance to Regulators: What Does it Mean?”.
Whether a person or a software solution, the third party compliance monitor has an important role to play. They confirm whether the evidence meets the requirement of the legislations, and whether the technical and organisational measures have been implemented.
Third party roles and responsibilities include:
- Defining the mandatory measures for each privacy law
- Monitoring the organisation’s compliance infrastructure
- Monitoring mandatory measures to demonstrate compliance
- Ensuring that appropriate technical and organisational measures are maintained over time, and that each measure has up-to-date owners and evidence
A third party certificate will include:
- Process certificate (scope is the privacy law)
- Verified compliance capacity report (which includes a visualisation of capacity to comply over time, the owners of evidence, and current/historical status)
The largest reason to seek third party certification is international data transfers. An organisation in a non-adequate third country, for instance, can apply to an EU accredited certification service provider to verify their organisation’s compliance. The certification received is then sufficient to allow personal data to be transferred from an EU organisation to a the organisation in the non-adequate third country. This negates the need for negotiations, contracts, binding corporate rules (BCR), and other transfer instruments.
Another advantage to certification is in dealing with regulators. Having the certification proves that your organisation has prioritised compliance and worked hard towards building organisational and technical measures to support the legislation. Similarly, third party certification prepares the path to obtaining an official seal or trust mark.
There is also the possibility that certification will provide a monetary advantage by reducing insurance fees.
The European Commissioner has commissioned a report from a European university, with the purpose of taking inventory of existing certification mechanisms and assessing best practices. This will assist in discovering what is currently available, what procedures are currently being followed, and what the best practices are. Once the report has been reviewed, the EU can decide which models of certification will be embraced, and how to proceed with the accreditation of certain certification programs. Nymity was told the study will likely be released at the end of May 2018.
Nymity is still conducting research on our own proposed certification mechanism. The 2nd research paper is available on our website, and there will be two further updates in 2018. We welcome your feedback! Please share with us your opinions on the model itself, and the certification mechanisms. You can view the report by clicking here: