Since the EU General Data Protection Regulation was adopted in April 2016, TrustArc General Counsel and Chief Data Governance Officer Hilary Wandall CIPP/E, CIPP/US, CIPM, FIP and her company have been waiting to see what certification might look like under Articles 42 and 43 of the rules.
Fast forward to a little over a month before the GDPR arrives, and certification is still in a place of uncertainty, and TrustArc has been keeping notes.
“We have been working very closely with the European Commission as well as the researchers who are looking at certification to help talk through models that work, some of the challenges with certification, and how to do it effectively, but that work is still very much in its infancy in terms of what these certification models might look like under GDPR,” said Wandall in an interview with Privacy Tech.
With so much around certification still shrouded in mystery, clients have been asking TrustArc to find a way for them to display their GDPR compliance status, particularly to their B2B customers.
Those calls prompted TrustArc to create its GDPR Validation solution, a tool Wandall and her company have released to fill the gap while the certification problem is answered.
GDPR Validation works through TrustArc’s existing platform. Organizations will enter all of the compliance work they have done, and the evidence backing up their efforts, into the Validation solution based on criteria TrustArc has developed.
“What we will do is look at their ability to meet 40 specific objective validation requirements, such as whether they have established a governance strategy for their program, whether they have appointed a privacy leader, specifically if they have determined whether they need a DPO, and if they have appointment one, whether the DPO is meeting all the different requirements that need to be in place for them under GDPR,” said Wandall.
Other validation requirements the solution will call for includes detailing processes for vetting vendors; developing security programs under Article 32; whether companies have developed records of processing under Article 30; breach notification and incident management preparedness; and whether companies have data protection impact assessments in place, data subject rights and risk assessments.
After an organization finishes, their submission is reviewed by privacy professionals who will determine if they have met the standards needed to receive a letter proving their GDPR-compliance status, whether it is for their entire program, or for a specific portion of their work.
The privacy professionals conducting the reviews are mostly lawyers who have either worked at a law firm, or in a company as a chief privacy officer. Wandall said these professionals either come in with, or will quickly earn, an IAPP CIPP certification, most of whom have a CIPP/US. Wandall and TrustArc are looking for more privacy pros working on the solution to earn their CIPP/E.
While automation may be popular among GDPR solutions making their way into the marketplace, Wandall and TrustArc believe it is crucial for a person to make the decisions.
“The reason why that it is important is that a simple review of an answer is not enough to meet the requirements that we have,” said Wandall. “For validation, you have to provide evidence to demonstrate that you are meeting the requirements, and the need to review that evidence is something at this point in time is far too subjective for a machine to be able do it.”
Once the privacy professionals finish the review, those organizations that have passed will receive the letter saying they have been approved by TrustArc’s certification arm, TRUSTe, according to the validation requirements they have chosen. The letter will list and link to all of those requirements, adding that it is only valid for one year.
Wandall explained the reasoning behind TrustArc’s decision to have the letter expire after one year.
“What we found in our experience over time is that privacy practices change all the time, and they change all the time because companies’ data usage and organizational structures change all the time,” she pointed out. “In order for something to be held as being a representation of what is happening in a business, we have found the max where that is accurate is a year.”
When asked why a similar solution had not hit the marketplace, Wandall said there was an expectation certification guidance would be provided by the Article 29 Working Party before May 25. But, so far, that hasn't happened. As a result, TrustArc began to work on GDPR Validation.
TrustArc will be paying attention to the ways the rules play out, as well as any potential updates from the Article 29 Working Party, to determine how their solution will grow.
“We anticipate that the validation program itself as well what certification will look like will continue to evolve as more Article 29 guidance comes out, because so much of it still has not been released,” said Wandall. “They are still interpreting so many of these different requirements under the articles of the GDPR.”