In this article Grant Thornton Luxembourg outlines the risks of not certifying data processing activities. In an increasingly regulated data environment, Shariq Arif, Data Protection Director at Grant Thornton, shares his views alongside the perspective of Alain Herrmann, Data Protection Commissioner, and Elena-Cristina Gerth, Head of Certification & Codes of Conduct at the CNPD.
“The CNPD is encouraging decision makers to certify their processing activities”, says Alain Herrmann.
Since the entry into force of the EU regulation 2016/679 (the GDPR), the firm’s top management have invested significant resources to comply with this legislation.
What are GPPR certifications?
“While internal processes and procedures can signal accountability, providing concrete evidence is more difficult. This highlights a need for clear and transparent approved 3rd party GDPR certifications. This is especially relevant in light of the recent legislative developments that build on top of the GDPR, where additional requirements cannot be fulfilled without a robust foundation”, says Elena-Cristina Gerth.
She adds “GDPR certifications are issued to controllers or processors to inspire trust to core stakeholders, including data subjects. They are issued per group of processing activities, and are strongly encouraged for organisations that process large amounts of personal data, in both the public or private sector.”
Why get certified?
GDPR certification is an effective tool to demonstrate a functioning data governance framework.
“GDPR certifications allow one to build a data map. They support the firm’s decision makers evidence they apply data protection by design. Indeed, it will be very hard to be compliant with upcoming texts, as all laws, including – the Data Governance Act, Data Act, Data Services Act, and the AI Act – refer to the GDPR for the handling of personal data”, says Alain Herrmann.
GDPR certifications ensure that optimal privacy-preserving methods have been deployed. They also ensure, through independent inspection, that firms have satisfied their information obligations and data subjects have control over their data.
In short – GDPR certifications are accountability tools that have far reaching benefits.
It goes without saying that “individuals all want their data to be handled securely, however they are most inclined to think about this when there is a problem. Certifications are likely to be an enabler (to mitigate breaches happening in the first place)”, adds Alain Herrmann.
Which certifications should be considered?
“When it comes to choosing an appropriate certification, it is worth considering those (certifications) that are recognised and officially adopted by the European Data Protection Board (EU Seal) or the National Data Protection Authorities (national GDPR certification)”, says Alain Hermann.
There are two that standout: Europrivacy and GDPR-CARPA.
Europrivacy has been approved by the EDPB as a European Data Protection Seal. That makes it the only GDPR certification to date, officially recognised in all EU Member States. It is based on the ISO 27001 standard.
Meanwhile, the GDPR-CARPA, a national scheme, is a certification that was developed by the Luxembourgish Data Protection Authority, where the certification can only be granted by CNPD approved statutory auditors. It is based on the ISAE 3000 assurance reporting requirements.
By obtaining certifications aligned with GDPR standards, the firm’s decision makers not only provide tangible evidence of their commitment to data protection, but also show their house is in order. Such certifications show that a robust compliance foundation is in place, evidencing the firm is well placed to comply with upcoming, additional regulations in an increasingly data-driven landscape.
GDPR certifications not only evidence that you have satisfied the GDPR. They lay the compliance foundation for the regulatory wave that follows, where non-compliance can put at risk the going concern of your organisation.
Grant Thornton Audit and Assurance S.A., (Luxembourg) became an approved GDPR-CARPA certification body on 18 May 2023.