GDPR certification guidance drafted

Out-Law News | 04 Jun 2018 | 3:11 pm | 1 min. read

Businesses may be able to obtain certification for their products under the General Data Protection Regulation (GDPR), the European Data Protection Board (EDPB) has said.

The watchdog offered the clarification in draft new guidance it has issued on certification (17-page / 750KB PDF).

"The EDPB considers that the scope of certification under the GDPR is directed to processing operations or sets of operations," the EDPB said. "These may comprise of governance processes in the sense of organisational measures, hence as integral parts of a processing operation (e.g. the governance process established for complaints’ handling as part of the processing of employee data for the purpose of salary payment)."

"A processing operation or a set of operations may result in a product or service in the terminology of ISO 17065 and such can be subject of certification. For instance, the processing of employee data for the purpose of salary payment or leave management is a set of operations within the meaning of the GDPR and can result in a product, process or a service in the terminology of ISO," it said.

Articles 42 and 43 of the GDPR provide for businesses to be able to voluntarily sign up for certification of their data protection practices. Only data protection authorities or independent accredited 'certification bodies', which must have "an appropriate level of expertise in relation to data protection", can operate certification schemes.

Where the schemes are run by certification bodies, the criteria for certification must be approved by a national data protection authority or the EDPB. The "European Data Protection Seal" is the label given to certifications under EDPB-approved criteria.

To become accredited, certification bodies would have to show a DPA and/or a national accreditation body that they have put in place certain procedures, which include for handling complaints about non-compliance with conditions of certification and for "issuing, periodic review and withdrawal of data protection certification, seals and marks".

Businesses will be able to obtain certification for a maximum period of three years before they would need to go through a renewal process to remain certified.

Under the GDPR, the European Commission can set out further details on "the requirements to be taken into account for the data protection certification mechanisms" and on "technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks".

The EDPB's draft guidance, which contains recommendations for trade bodies and other organisations considering establishing a GDPR certification scheme, is open until 12 July.