General Data Protection Regulation (EU) 2016/679 (GDPR) became enforceable on May 25, 2018 with potential fines reaching the higher of EUR 20 million or 4% of global turnover. We look at the possibilities offered by Article 42 of GDPR in relation to the certification of data processing.
GDPR is a data protection and privacy law covering the European Union (EU) and European Economic Area (EEA). Its primary aim is to give individuals control over their personal data, while simplifying the regulatory framework across the EU/EEA. It also addresses the transfer of personal data outside of the EU/EEA.
GDPR utilizes a definition of personal data that covers, “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Since its development and implementation, GDPR has been the model for similar legislation in Argentina, Brazil, California (USA), Chile, Japan, Kenya, and South Korea.
This article within GDPR encourages, “the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation [GDPR] of processing operations by controllers and processors.”
While the International Organization for Standardization (ISO) does maintain ISO/IEC 27701:2019 Security techniques, this is mainly focused on the management system and not data processing. It makes its evaluation based on continuous enhancements in the management system and does not specifically relate to legal compliance. It is not, therefore, eligible for GDPR Article 42. Certification standards developed to address Article 42 have to be approved by the European Data Protection Board if they are to have pan-European authority.
Developed through the Horizon 2020 research program and financed by the European Commission, the Europrivacy certification scheme has been designed to fulfil the requirements of Article 42. It provides a state-of-the-art methodology for the certification of conformity with GDPR and covers a wide variety of products, services, processes and information systems. It is constantly being updated to cover emerging technologies and changes in regulations and jurisprudence. It is the first data privacy certification scheme to be submitted to the European Data Protection Board and is currently the only scheme going through the formal approval process.
Europrivacy provides organizations with a comprehensive and systematic assessment of their conformity to GDPR. This covers the identification of all processed personal data and its lawfulness. It also considers the requirements regarding minors, transparency, the personal data life cycle, the effective implementation of the data subject’s rights, security and, where applicable, complementary national and/or domain specific requirements.
For stakeholders, the benefits of certification to Europrivacy include:
There are three board stages to Europrivacy certification:
Working in this way, an organization moves from uncertainty and risk, to trust and confidence in their GDPR compliant data processing systems.
SGS, leveraging its comprehensive data protection certification scheme for GDPR compliance, has partnered with EuroPrivacy to deliver certification services that demonstrates GDPR compliance.
Learn more about how SGS Partners with Europrivacy to Deliver the First Comprehensive Data Protection Certification for Demonstrating GDPR Compliance.