It is a year now since the introduction of Europe's new data privacy regime, the GDPR. There was a flurry of activity leading up to and following the launch date in May 2018. Since then GDPR has fallen out of the headlines, but the teething period is far from over. We consider some of the issues that are keeping business leaders and privacy regulators awake at night.
Where are we with certification?
Those who have engaged with the compliance process will know that the GDPR includes numerous detailed requirements. Verifying compliance with all of the relevant obligations in a particular situation can be a time-consuming and bureaucratic exercise. The intention was always to streamline this process where possible by providing for a process of external evaluation, or conformity assessment, leading to the grant of a certificate to demonstrate compliance in defined areas.
The purpose of certification is twofold. First, it aims to give confidence and improve transparency for individuals whose data is being collected and used. And secondly, it can assist organisations to assess the level of compliance achieved by their commercial partners quickly and efficiently.
Unfortunately certification schemes have been slow to appear. The first year under the GDPR has produced little concrete progress in this area, leaving organisations to undertake detailed due diligence on their commercial partners. Indeed, there has been confusion over whether certification schemes are available, with some businesses being convinced to pay for something that is not “real” certification. However, we are now seeing developments and expect to have access to practical guidelines in the next few months.
A coordinated approach
Although most certification arrangements will be set up by national regulators, a coordinated approach between EU countries makes sense. The GDPR applies across the EU, and cross-border activity in data processing and storage is increasingly the norm. Implementing very different schemes would make it difficult for service providers to operate internationally.
The European Data Protection Board, where national regulators work together on developing next steps, has produced a set of Guidelines on Certification. These leave national regulators with flexibility in implementing certification structures, while setting out broad principles and processes to follow.
In addition to the Guidelines on Certification, the EDPB has published Guidelines on the accreditation of certification bodies. Certification bodies will be tasked with carrying out the practical evaluation of applications for certificates, and regular monitoring and review.
What kinds of certification can we expect?
Annex 2 to the Guidelines on Certification (currently in draft for consultation) offers some examples of the types of certification we can expect to see once the system is up and running – certificates like “Privacy Health Mark” and “Privacy Vault Seal” might be on offer. The draft Annex warns against misleading titles that could promise more than they deliver. “Trusted Company Seal” for a business whose online payment processes only have been evaluated, for example, is likely to be misleading. Users will be led to believe that the processing activities of the entire organisation have been evaluated.
In addition to carrying out national conformity assessments, certification bodies will have the option of applying to the EDPB for the ability to grant EU-wide certifications (the “European Data Protection Seal”). Although more difficult to achieve, because of the need to take account of national variations, the European Data Protection Seal is likely to offer commercial advantages to organisations offering cross-border services.
Next steps for the ICO
UK data protection regulator the ICO plans to take forward the process of developing accreditation requirements over the summer, aiming to accept applications for approval of certification schemes in the second half of 2019. Accreditation of certification bodies in the UK will be administered by UKAS.
What does it mean for me?
There is still some time to wait before we can expect to see the certification schemes in action. Once this begins to unfold, carrying out due diligence on commercial partners should become significantly easier. If you are a customer for processing services, you may wish to assess which certifications you will require from your service providers as they become available.
Many organisations involved in data processing and service provision will want to pursue obtaining certification themselves, either at national or EU level. For many, this is likely to become key to retaining and improving their market position. It will be worth monitoring the accreditation of certification bodies, and considering what type of conformity assessment will offer the right profile in the market for your business. Different approaches are possible. You may wish to act quickly and be among the first to offer this new form of guaranteed compliance. Alternatively, you may take the view that until the value in the market of different types of certification is established it makes more sense to hold off.