The EU General Data Protection Regulation has been in effect for five months, and yet there has not been much progress on the certification front. Companies are waiting to see what form certification will look like under Articles 42 and 43 of the GDPR, and tech vendors are coming out with solutions to help organizations display their GDPR compliance efforts in the interim. 

Nymity Director of Strategic Research and Global Outreach Paul Breitbarth, Future of Privacy Forum Policy Counsel Gabriela Zanfir-Fortuna, and John Howie, CIPP/E, CIPP/US, CIPT, sat down for a conversation during the IAPP Privacy. Security. Risk. conference to break down the murky future of GDPR certifications and what companies can do to prepare for them in the interim.

While GDPR certifications have not yet appeared, plenty of regulatory bodies have come out with guidance on the subject. The European Data Protection Board released its 1/2018 Guidelines earlier this year. Zanfir-Fortuna said the EDPB was accepting draft comments until July, and the industry currently awaits a finalized draft. The European Commission also has a certification report in the wings. Zanfir-Fortuna expects the commission to publish the document soon, saying "we are eagerly awaiting it."

With all the guidance that's emerged from global regulatory bodies, including from the CNIL on the certification of data protection officers and Demark's data protection authority, there remains controversy surrounding GDPR certifications. Under Article 42 of the GDPR, certification mechanisms will be issued to data controllers and processors. However, Zanfir-Fortuna said, the EDPB interpreted that language to mean natural persons, such as a data protection officer, cannot obtain a certification. That is: An organization's data processes themselves would be certified.

One of the reasons why certification has yet to take shape, Zanfir-Fortuna explained, is that the factors to be considered for the development of certification criteria are plentiful.

The criteria includes:

  • The lawfulness of processing pursuant to Article 6.
  • The principles of data processing pursuant to Article 5.
  • Data subjects' rights pursuant to Articles 12–23.
  • The obligation to report data breaches pursuant to Article 33.
  • The obligations to data protection by design and by default pursuant to Article 25.
  • Whether DPIAs pursuant to Article 35(7)(d) have taken place and the technical and organizational measures put in place pursuant to Article 32. 

"If you look at it, it more or less covers the entire legislation," Zanfir-Fortuna said. "It would make it terribly difficult to certify a product or service."

Breitbarth agreed with Zanfir-Fortuna, adding, "If you look at this guidance it seems impossible."

When certifications are finally made available, companies will be lining up to start the process, right? Ready to receive that GDPR seal? Breitbarth believes so. But Howie took a slightly different point of view.

"People don’t enjoy getting certifications," he said. "Businesses are going to groan. Certifications are costly to obtain and maintain."

Whether that's true in this case will only become evident with time. But for companies who already know they're interested, Breitbarth said there is plenty to do to prepare in the interim. 

Breitbarth cited Article 24(1), the responsibility of data controllers to implement the proper technical and organizational measures to ensure processing is in accordance with the GDPR and Article 30, which focuses on the records of processing activities, as two focus areas entities should lock down to well position themselves. But he added that while a stamp of approval looks good to window shoppers, the companies that see real success practice good hygiene in perpetuity. 

"Compliance is a one-off thing, but if you look at the ongoing process, that is why you need regular reviews. Certification is a snapshot of a moment in time and your certificate is good for three years, but in those three years, a lot can change."

So when exactly will we see movement on GDPR certification? That's anyone's guess, and Breitbarth had one.

"I think this time next year when we discuss the same topic in Vegas, then you will be able to get your certification body approved," Breitbarth said.