The State of Play on GDPR Certifications
Last month we attended the IAPP’s Privacy Security Risk Conference in Austin, Texas. With the GDPR and upcoming CCPA, the conference seemed to focus more heavily on privacy than security. Nymity was there to talk about both the GDPR and the CCPA, as well as the 700+ other privacy laws around the world.
In addition to our booth on the show floor, we also hosted two talks:
1. Are You Ready to Report on GDPR Compliance?
On the Little Big Stage, Nymity’s Paul Lewis discussed regulatory ready reporting, which allows organisations to efficiently produce reports that clearly tell a story reflecting compliance. To learn more about regulator ready reporting, and how to ensure compliance and minimise risk, read our blog here.
2. What Is the Current State of Play Regarding Certifications Under the GDPR?
Nymity’s Paul Breitbarth hosted the panel discussion, along with Gabriela Zanfir-Fortuna, Policy Counsel for the Future of Privacy Forum, and John Howie, Privacy Expert and former CPO, Huawei. They discussed how certifications can give organisations a more public way to confirm that they are meeting their data protection obligations, and more. The key takeaways from the panel were:
- Certifications under the GDPR are still a long way out.
The European Data Protection Board (EDPB) issued draft guidelines earlier this year. However, these won’t likely be finalised until Q1 2019. The main focus of the guidelines is how to get accredited as a certification body. This needs to be done by data protection authorities (DPAs) or the national accreditation bodies in the EU Member States. Once the first certification bodies have been accredited, the first certification schemes can be approved and launched.
What can be certified under the GDPR? Processing operations or sets of operations, including governance processes, such as the governance process established for complaints handling as part of the processing of employee data for the purpose of salary payment. According to EDPB Guidelines, p.12, “…certifications under the GDPR are issued only to data controllers and data processors, which rule out for instance the certification of natural persons, such as data protection officers.” Certification of data protection officers is nevertheless under dispute, since both the Spanish and French data protection authorities have issued national guidelines on DPO certification criteria.
- The industry is waiting for certifications
While we wait for certifications, at the same time there are concerns as to whether they will work. Existing certification mechanisms in other industries have not always succeeded, providing mainly paper-based assurances without real-life checks, thus sometimes decreasing their reliability. This is an issue that will need to be addressed by certification bodies when going to market with GDPR certifications.
But the question remains: how will you ensure that the certifications not only represent a paper-based reality, but are also monitored for adherence to the certification criteria, especially if a certificate has a longer validity of several years? Based on conversations during the conference and questions from the audience during the panel discussion, there seems to be a clear interest from industry to get GDPR certifications up and running, and to resolve the shortcomings of other mechanisms.
- Organisations should not hold off on preparing for their application
The fact that GDPR certifications will not be available until 2019 (or maybe even 2020) doesn’t mean organisations should wait to start preparing for their application. The best course of action is to develop a comprehensive privacy program at both the enterprise and project level, and ensure it is maintained on an ongoing basis.
At the enterprise level, you will need to ensure that you define the privacy management activities that you want to include in your privacy program, and implement the appropriate technical and organisational measures throughout the organisation. You can map such a program to multiple laws, allowing for better compliance across the board while saving time doing so. Furthermore, you will need to document how you update these processes on an ongoing basis and who is responsible for them.
At the project level, processing activities need to be entered in the processing activities register (mandatory under Article 30 GDPR and relevant in other jurisdictions). This will provide insight into how data is processed in the organisation. By also tying your technical and organisational measures (the policies and procedures embedded throughout the organisation) to the data processing operations, you will be able to demonstrate your policies are also effectively used.
The combination of the documentation at the enterprise and project level will form the core of any application file for a certification of a privacy program under the GDPR, and allow the certification body to easily assess the quality of the privacy program. Until the certifications are in place, the documentation can also be used to self-certify compliance to internal stakeholders, business partners and data protection authorities.
To prepare for the onset of certification, organisations should document implementation status and progress over time, monitor their compliance infrastructure or capacity to comply, monitor mandatory measures to demonstrate compliance to a privacy law, and ensure that appropriate technical and organisational measures are maintained over time, with up-to-date owners and evidence. This can be done for every single data protection law.
Over the past 15 years, we have helped thousands of privacy officers operationalise compliance.