GDPR Certification
The General Data Protection Regulation (GDPR) seeks to encourage, at European Union level, the demonstration by organisations of their compliance with the provisions of the GDPR. This is set out in Articles 42 and 43 GDPR, which deals with data protection certification and allows for organisations to demonstrate and account for any compliance measures in place, while allowing them to enhance and go beyond what is required under the GDPR. Organisations may then be certified as having appropriate safeguards in place for the processing of personal data.
Such measures benefit data subjects as it allows them to quickly assess and understand the level of data protection provided by an organisation’s technical and organisational processing operations. Along with GDPR Codes of Conduct, certification is important as it provides a public-facing accountability tool that allows an organisation to demonstrate compliance measures to individuals, as well as to other organisations that it works with, and to supervisory authorities.
A key part of certification is what is commonly known as a ‘certification scheme’. In the context of GDPR, such schemes specify the mechanisms in place for the processing of personal data and how appropriate controls and measures are implemented. These may then be assessed by an accredited certification body. If satisfied, a certification body may then validate and confirm that appropriate controls and measures have been implemented by the organisation and their particular process or service fulfils the scheme’s requirements and data protection criteria. The certification body may then certify this is the case. Certified organisations are subsequently reviewed and monitored, by the relevant certification body, to ensure that the criteria continues to be met.
In Ireland, the Data Protection Commission (DPC) is the relevant supervisory authority responsible for approval of data protection criteria or mechanisms in certification schemes, while the Irish National Accreditation Board (INAB) is responsible for the accreditation of Certification Bodies (CBs) that intend operating such schemes.
The following guidance should answer some of the most frequently asked questions regarding GDPR Certification:
The following document sets out the Irish accreditation requirements for certification bodies. These are additional requirements to those already set out in the standard ISO/IEC 17065:2012 Conformity assessment — Requirements for bodies certifying products, processes and services:
DPC additional accreditation requirements for INAB
The European Data Protection Board (EDPB) has also published guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 GDPR.
In addition, the EDPB maintains a register of approved national and EU Certification Schemes which can be accessed through the EDPB website.