Certification is a new tool that meets the needs of professionals wishing to demonstrate that their processing operations comply with the General Data Protection Regulation (GDPR).
The introduction of certification mechanisms can promote transparency and compliance with the GDPR and enable data subjects to be informed about the level of data protection of the organisation that processes their personal data.
GDPR certification mechanisms can also be useful in commercial relations between companies, for example between the data controller and its sub-processor. These parties can benefit from independent third-party certification to demonstrate that their processing operations comply with the GDPR.
What are the main features of certification?
Certification is
- a voluntary process that helps to demonstrate compliance with the GDPR. The GDPR does not introduce any right or obligation for controllers and processors to be certified.
- an accountability tool. It enables companies, public authorities, associations and other bodies to demonstrate their compliance with the GDPR.
- a legally binding tool, unlike, for example, ISO certification of management systems.
What are the advantages of certification?
- Certification enables organisations to demonstrate their compliance with the GDPR.
- Certification can boost the confidence of an organisation's customers and other stakeholders, thereby helping to strengthen its brand image. In this way, certification can provide a competitive advantage and an opportunity to stand out in its market.
- Compliance with approved certification mechanisms is a factor that the supervisory authorities may consider as a mitigating circumstance in the event that they have to decide, following an investigation, to impose corrective measures or an administrative fine and to decide on the amount of the fine.
Who can develop certification criteria?
A certification scheme may be drawn up by a supervisory authority such as the CNPD or by a public or private entity such as
- an organisation specialising in personal data protection assessment,
- a consumer protection association
- an industry federation
- a body representing categories of data controllers or processors.
The entity that has drawn up the certification criteria is referred to as the owner of the certification scheme.
The criteria of a certification must in all cases be approved by the supervisory authority or by the EDPB to make it a certification according to the GDPR.
As with "traditional" certifications, certification schemes must be regularly revised by their owner in order to take account of changes in regulations.