GDPR Data Protection Certification Mechanisms Study Released by the European CommissionAction

April 24, 2019

Posted in European Union, International

The certification mechanisms introduced in Articles 42 and 43 GDPR are among these new instrument. The study revealed a multitude of active certifications in the broader field of data protection, privacy, and information security with a diversity of attributes: origin, public/private ownership, normative basis, sector, territorial scope and others.

The long-awaited study on GDPR data protection certification mechanisms (the “Study”) was released by The European Commission (the “Commission”). The Commission announced that it would look into GDPR certifications back in January. Under GDPR the Commission is empowered to adopt delegated and implementing acts regarding certifications, specify requirements and establish technical standards for certification mechanisms. The 255-page Study aims to support the establishment of certifications and seals under Articles 42 and 43 of the GDPR, and seeks to accomplish three specific objectives:
  • explain the different terms contained in Articles 42 and 43 of the GDPR;
  • map data protection certification schemes and related technical standards and analyze 15 select certification schemes; and
  • provide recommendations for certification criteria, additional requirements for the accreditation of certification bodies, technical standards for certification and data protection seals and marks and possible safeguards with respect to data transfers.

Key findings in the Study include:

  • The GDPR, while making clear the object of certification, does not limit the subject matter to one specific area—potentially covering the full spectrum of a controller or processor’s GDPR obligations.
  • Valuable insight can be gained from analyzing existing certifications, assessment methodologies, contractual arrangements and audit processes in other industries.
  • Data protection authorities will need to rely on guidance and knowledge from other fields, including technical standards to assess certification criteria in the data protection sphere.
  • Several challenges around harmonization may arise if EU Member States adopt different accreditation models (e.g., lack of recognition of certification across EU Member States, inconsistent auditing techniques, etc.)
  • There is a structural lack of knowledge in the market regarding available technical standards relevant to data protection.
  • To promote standardization of the GDPR certifications, the EU should maintain its focus on European and international standards over national ones.
  • Despite variations between the substantive requirements of the GDPR and existing non-GDPR certifications like the APEC Cross-border Privacy Rules, such certifications provide a good example on how to set up oversight mechanisms.

This is a developing area under the GDPR. To read the full Commission’s findings as well its other recommendations, please view the full report.