The GDPR makes over 70 references to certification. As stated in its recital 100 and Art. 42, the certification aims at supporting compliance and allowing to easily assess if a service or product is complying with the regulation. It is applicable to any data processing activity that involved personal data and is processed by a data Controller or Processor. Companies can apply to GDPR certification regardless of their location. However, in countries that do not protect and respect the privacy of their citizens, certification may not be achievable.
GDPR sets three major conditions for a GDPR certification to be recognized and have validity under the GDPR:
The GDPR distinguishes two categories of certifications:
The list of officially recognised criteria (national ones and European seal) are published on the EDPB website.
Why considering an official GDPR Certification?A GDPR certification brings several advantages
See the benefits How to choose your GDPR certification?You should consider the following criteria:
1. Is the certification scheme officially recognised by EDPB?If not, your certification will be purely informative but it will have no legal value under the GDPR.
2. Is the certification scheme applicable to both data controllers and processors?Otherwise, you may end up using two different schemes when acting as a controller and when acting as a processor.
3. Are your data processing activities limited to a single EU/EEA country?If yes, you can opt for a national certification. If not, you should opt for the European Data Protection Seal.
4. Is it comprehensive with the GDPR obligations?If the criteria you use assess only part of the obligations (i.e. not assessing the lawfulness of the processing or the cross-border data transfers) you may end up with a misleading certification with blind spots in terms of compliance.
5. Can you choose among several service providers?If not, you may end up in a business lock-in with non-competitive costs and lower quality of service.
6. What is the geographic scope of the certification in terms of certification recognition?You can also use the formal GDPR Certification Scheme Assessment Methodology presented on the European Centre for Certification and Privacy website: https://eccpcentre.com/csam
How to obtain a GDPR Certification?In principle, a GDPR certification will focus on your compliance with the law.
The first thing to do, regardless of any certification, is to ensure that you comply with the GDPR. You can focus your effort on your priority data processing activities.
In both cases, you need to document the compliance of the selected data processing with the criteria. You can take advantage of qualified solution providers to accelerate and ease the documentation process.
Once the compliance has been documented, you need to request offers and select a qualified certification body to audit your compliance.
After auditing and verifying the compliance of the target of evaluation, the certification body will decide to deliver a certificate of compliance valid for three years, renewable.
The largest effort is before the certification starts, by ensuring your data processing complies with the regulation. The required investment for a certification varies according to several factors:
If a data processing is well documented with the criteria, the work of the certification body can be less than a week per certificate. The best approach is to request offers from qualified service providers.
A certification enables to substantially and effectively reduce legal, financial and reputational risks. The Europrivacy website provides a tool to assess the saving and return on investment of your GDPR certification: https://europrivacy.com/en/resource/gdpr-estimator
Benefits of a GDPR CertificationDocument, demonstrate, and communicate your compliance
Reduce your legal, financial and reputational risks
Value compliance with a competitive advantage
Contribute to better protect personal data and data subject rights
Assess the adequacy of the technical and organisational measures in place
Facilitate Data Transfers (Art. 46 GDPR)
Comply with Data Protection by Design and by Default (Art. 25 GDPR)
Reduce risks with data processors (Art. 28 GDPR)
Frequently Asked QuestionsIt is a certification that aims at demonstrating the compliance of personal data processing activities with the GDPR. To be valid and recognised by the EU/EEA authorities, a GDPR certification must be delivered by a certification body that has been accredited under Art. 43 GDPR with criteria officially approved by EDPB under Art. 42 GDPR.
Mainly to reduce your risks and value your compliance. It is a strong positioning in favour of personal data protection and regulatory compliance for all stakeholders.
You can contact qualified service providers to help you document your compliance with the criteria of the certification or directly a qualified certification body if you have already completed your documentation of compliance. You can also learn and become qualified expert with the
Europrivacy online academy.
Yes, you can use the officially approved criteria to document your compliance with the regulation. You can then decide at a later stage to opt for a formal certification.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3