In my previous blogpost, the broad strokes of data protection certification schemes and privacy seals and/or trustmarks under Articles 42 and 43 of the General Data Protection Regulation (GDPR) were laid out. However, what are the actual benefits of having a certificate for an organization under the GDPR?
In 2010, the Article 29 Working Party (WP29) argued that data protection needed additional mechanisms that translate legal requirements into real data protection measures (the move from data protection in theory to data protection in practice – in other words, time to start walking the walk). ENISA’s Recommendations on European Data Protection Certification treats seals as accountability-based mechanisms, due to their potential effect to facilitate scalability, compliance, transparency, and legal certainty (to some extent). Demonstration of compliance in practice can require several actions, such as proper documentation and record keeping (Article 30 GDPR).
There are a number of ways in which privacy seal buyers benefit.
First, the existing data protection mechanisms and seals aim to provide a visible means of demonstrating to their customers or users that they respect and fulfil some privacy or data protection standards or obligations. While seals are about the conveyance of complex information in a rapid and simplified way, the current landscape is defined by a diversity of models and the variation in the details of their operation are important. These variations raise questions as to what exactly is being certified (in particular, focusing on the comprehensibility and accessibility of the information) and what specific guarantees are being offered. For example, EuroPrise certifies manufacturers and vendors of IT products and IT-based services, providing clear and accessible information on its scope and the guarantees provided to data subjects; McAfee Secure certification, on the other hand, aims to build trust and increase online sales from security conscious shoppers but makes no warranty or guarantee claims of any kind towards data subjects. The lesson to be learned? Be sure to always closely examine the seal scheme to fully understand what is being certified and what (if any) guarantees are provided.
However, in light of today’s challenges (particularly regarding personal data breaches) that both large and smaller enterprises find themselves up against, certification’s second benefit is the possible provision of an additional layer of safety and compliance benefits, enabling the identification and mitigation of privacy risks and threats in a timely fashion and on a regular basis. The certification process requires the assessment by a third independent party who highlights gaps in the compliance of an enterprise’s data protection obligations to put them in a better position to become more aware of their data protection responsibilities; thereby enabling the target enterprise to become more compliant.
Third, the visible and defined proof of their commitment to privacy and data protection affords a reputational advantage to certified enterprises whereby a more credible image is presented to other businesses/consumers/users. This can turn into a competitive advantage where they are able to draw and retain business on the basis of their privacy certification; for example, in Schleswig-Holstein (Germany), public bodies are legally permitted to give preference to IT products and services that are certified as complying with local data protection law.
However, there is one detail that enterprises seeking or considering certification need to keep in mind. Even when the certification body issues a certification, the relevant supervisory authority has several powers, including the power to withdraw the certification or order the certification body to withdraw the certification. This could discredit the privacy practices of an enterprise and lead to the loss of its competitive advantage.
Compared to large enterprises, small and medium enterprises (SMEs) stand to gain even more. In the European Commission study on EU Privacy seals, it has been argued that smaller and still-establishing companies are now afforded a way to offer greater and more concrete forms of reassurance to users that larger enterprises don’t need to (by virtue of their services being well-known and their claims being taken at face value by consumers or users).
Lastly, privacy seals could fill in the gap left by the lack of resources and expertise of SMEs in determining and assessing compliance with required or best practice standards, provided that they are cost-efficient and well-supported.
In short, significant benefits have been asserted which a properly structured and operated certification scheme hopes to offer – from helping enterprises demonstrate their compliance and thereby be ‘accountable’ to helping them become conscious of their GDPR obligations. It will be worth watching how certification under the GDPR develops and whether it can truly facilitate the transition from data protection in theory to data protection in practice.
Were you not planning on getting certified but are now having second thoughts? Rest assured, we have the answers. Pick up the phone or send us a mail and get in touch with Considerati.