Taking a page out of the American playbook, the European Union has embraced the idea of putting some of the regulatory burden in the hands of the private sector. Articles 42 and 43 of the General Data Protection Regulation (GDPR) introduce the concept of data protection certification schemes and privacy seals and/or trustmarks.
Being completely voluntary, controllers can use approved certification and privacy seals as elements to demonstrate compliance with their GDPR responsibilities: fulfilling a considerable part of their accountability principle obligations while simultaneously enhancing transparency and public awareness. Approved certification mechanisms can be used to help meet data security obligations (Article 32) and are even put forward as an appropriate safeguard enabling the transfer to a third country lacking an adequacy decision by the European Commission (Article 46).
Under the GDPR, the privacy and data protection certification arena has been given the opportunity to flourish into an integral tool that has companies excited because certification:
As a company seeking to be certified, certification and privacy seals/trustmarks (including codes of conduct) are an easy and flexible mechanism that make complex privacy and data protection issues understandable to the general public at the glance of an eye. The flexibility is reflected in the ability to certify people, products, or processes (or possibly a combination thereof). Some privacy certification schemes and seals apply generally while others are more targeted, depending on the particular audience or industry such as services directed at children, health data, cloud services, or even an element such as security (e.g. ISO/IEC 27001:2013).
So, does that mean any certifier operating a privacy certification scheme will do? Not exactly. While private companies (and conceivably also other public bodies) are free to create their own privacy standards and certification schemes or seals, each scheme that promises GDPR compliance needs to be approved by the relevant data protection authority. While some certification schemes can nonetheless aid the fulfillment of (sector-specific) duties under the GDPR (possibly laying the groundwork for subsequent GDPR applicability in the near future), there will be no “presumption of compliance” without the approval of the relevant data protection authority.
On the other hand, data protection authorities will also have the opportunity to certify companies according to their own standard (although whether they will want to take on certification and the extra work that it entails is another question entirely). With only two data protection authorities currently certifying companies (France’s CNIL and Schleswig-Holstein’s ULD), expect to see plenty of activity from the private certification scene.
Why not bypass all the national schemes and simply get certified for the European Data Protection Seal? Because it’s not that simple and there is still much of the groundwork yet to be done. In a market defined by heterogeneity, agreement on what certification should look like is still very much a live and active discussion. With the Article 29 Working Party expected to bring out guidelines on data protection certification, key questions should finally be put to rest.
Confused? Excited? Or do you simply have questions related to data protection certification and seals? Do not hesitate, get in touch with Considerati.