It is a question that many organizations face: How do we prove to consumers and potential business partners we are compliant with the EU General Data Protection Regulation? Short of walking everyone through an accountability program, organizations essentially have to rely on squishy things like trust and an effective privacy notice that people actually read. Or a third-party service like TrustArc's, which doesn't offer "official" documentation of compliance, but is at least in line with other self-regulatory efforts like Privacy Shield, so is familiar to the industry.
However, the GDPR holds out a great promise: The certification mechanism in Article 42. This could be an "official" signal to the world that an independent party has assessed a program and determined it fit for purpose. But how will it work? Who will do the certifying? How will an organization get approved to do the certifying? What will be certified?
Last week, on GDPR Day, as the law finally came into force, the newly minted European Data Protection Board shed some light on these questions and more with newly released guidance on “certifying and identifying certification criteria in accordance with Articles 42 and 43” (there are also "codes of conduct" mentioned in the GDPR alongside certifications, but they aren't addressed in this guidance).
One big question the EDPB answers: No, you can’t certify individual data protection officers. So, anyone telling you they’re selling “certified DPO” credentials is perhaps a charlatan: “It follows from Article 42.7 that certifications under the GDPR are issued only to data controllers and data processors,” the EDPB writes, “which rule out for instance the certification of natural persons, such as data protection officers for example.”
Nor is it likely that an entire company’s operations would be certified as a whole (as TrustArc offered with its initial GDPR Validation product). Rather, the EDPB focuses on discrete “processing operations,” or, in the parlance of the International Organization for Standardization (known as ISO), “a product, process, or a service” (which TrustArc now offers as well, in response to market demand). The object of the certification – the “target of evaluation,” or ToE – must be well defined, in fact.
This is similar to how the current EuroPriSe Seal works, where they certify products and services, and they have been eagerly awaiting this guidance and the establishment of certification criteria.
The EDPB provides the example of a bank looking to certify its online banking operations. The secure log-in process is discrete, easy to identify, and a clear process that the user understands, the EDPB reasons, therefore it can be certified. The “web front-end,” rather, “is not understandable by the end user,” the board reasons, and therefore could not be certified. However, a process such as “online banking,” which might incorporate some front-end interface along with some back-end processing, might be a process that end users could intuit and therefore is something that could be certified.
To simplify: A user can easily understand that they log on to a website, click some buttons, and their money moves from one place to another. A user is much less likely to understand that a web front-end contains any multitude of elements, such as cookies, third-party advertisers, and authentication mechanisms.
The EDPB notes that “the individual object of certification must be meaningful with respect to the message or claim made on/by the certification and should not mislead the user or consumer.”
But who will do the certifying? Possibly, it will be the data protection authorities themselves. This may be unlikely, however. As both the implementer and overseer of the certification program, a DPA “will need to give consideration specifically to the separation of powers relating to investigations and enforcement to avoid any potential conflicts of interest.” Perhaps more germane is that most DPAs are already at their capacity with simply enforcing the GDPR, so few may be likely to stand up a new certification scheme.
These organizations will have to be accredited by a member state accreditation body (yes, certifying bodies will have to be certified) and can either operate only at the member state level or EU-wide, if certification criteria are approved by the EDPB itself.
Thus, the task is likely to fall to “certification bodies.” These organizations will have to be accredited by a member state accreditation body (yes, certifying bodies will have to be certified) and can either operate only at the member state level or EU-wide, if certification criteria are approved by the EDPB itself. In fact, Article 42 encourages an EU-wide outlook for certification schemes, in line with the harmonization that is the goal of the GDPR.
This may result in the ability of a certification body to award a “European Data Protection Seal,” which would indicate that the certification criteria take into account all of the member state derogations and truly indicates (but does not guarantee) that the data processing operation in question is GDPR compliant across the EU. In this case, the certification body would be accredited by a member state body, but have its criteria for certification approved by the EDPB, rather than a member state authority (or maybe in addition to).
This is the method that EuroPriSe has said it will pursue and where there is likely to be the most demand. While some companies will obviously only be doing business in one member state, and may, for example, seek certification of their employee data handling, it’s likely the companies most interested in validating their processing operations will be those operating as part of the Digital Single Market and looking for EU-wide certification.
Thus there will two levels of approvals for criteria for certification. At the member state level, DPAs will approve criteria put forward by certification bodies (or themselves, which presents a conflict) that would demonstrate compliance with member state data protection law; at the EU level, the EDPB will approve criteria that would demonstrate compliance with all member states’ data protection law.
Employment law, especially, might be an area where organizations would seek an EU-wide certification, but find that few certifications could come up with criteria that would satisfy every member state.
The criteria would vary widely, depending on the processing operation being certified, but the EDPB notes they should be verifiable, based on the principles of the GDPR, and “formulated in such a way that they are clear and comprehensible and that they allow practical application.”
Finally, there is the question of why you would want to get certified in the first place. The answer to that is easy: One of the factors that data protection authorities are asked to consider by the GDPR when administering fines or other enforcement actions is “adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42.”
Unfortunately, in its guidance on administrative fines, the Article 29 Working Party (now the EDPB) only focused on the codes of conduct aspect, but the reasoning is likely similar: “In case of a breach of one of the provisions of the Regulation, adherence to an approved code of conduct might be indicative of how comprehensive the need is to intervene with an effective, proportionate, dissuasive administrative fine or other corrective measure from the supervisory authority.”
Plus, to bring this piece full circle, organizations are just looking for a way to “prove” compliance. Especially in the business-to-business community, it is likely that certifications will go a long way in creating trust in a new world where processors are providing assurances to controllers and controllers are responsible for the data handling practices of their processors.
With this guidance out, we should now see certification bodies jump into the breach.
photo credit: European Parliament European colours flying in the wind via photopin (license)