Privacy seals, certifications & marks possibilities as a result of the GDPR
GDPR World Series
The General Data Protection Regulation (‘GDPR’) will bring the possibility for businesses to apply for data protection certificates, seals and marks. In this blog, we will discuss this innovative approach to privacy compliance procedures and their potential to increase your company’s competitive advantage.
By Filipa Carmo Pedro (Deloitte NL) and Ria Halme (Deloitte FI)
An official “stamp-of-approval”
Data protection certification, seal and mark mechanisms for processing operations, unheard of in the legislation that preceded the GDPR, are voluntary in nature. These mechanisms were included by the legislator to aid controllers and processors in demonstrating that the processing of personal data they carry out is compliant with the GDPR and helps businesses to ensure that appropriate technical and organizational measures are effectively in place.
Moreover, such measures might prove to be particularly useful for controllers and processors in third countries – certificates held by these parties, if coupled together with binding enforceable commitments to apply appropriate safeguards, can be used as a legitimate basis for cross-border transfers of data. Certificates, seals and marks can be attributed to a controller or processor for a maximum period of three years, and can be renewed provided the same requirements are met at the time of renewal.
The GDPR defines as certification bodies:
• The competent supervisory authority;
• An accredited (public or private) body; and
• The European Data Protection Board (‘EDPB’).
As for the accreditation of certificate bodies, it shall be valid for a maximum period of five years with the possibility of renewal, provided the criteria set out by the national accreditation body / supervisory authority / EDPB are met.
Where the European Data Protection Board approves this criteria, this may result in a common certification (i.e. European Data Protection Seal), which is consistent with the GDPR’s incentive to a uniform approach.
Lastly, and although the GPPR encourages businesses adherence to these mechanisms, there is still no EU-level uniform version of the requirements for certification, nor are there requirements in place for the aforementioned certification bodies to grant such a seal. Thus a common European Data Protection Seal is yet to be developed.
Monthly GDPR email alert
Receive the latest GDPR articles once a month.
Acquiring a certification, seal or a mark
The specific processes and entities accredited to provide a company with a certificate, seal or a mark are still under discussion, and no decisions were made yet on how these will work. However, the GDPR states that Member States and relevant EU-level authorities shall encourage the establishment of these mechanisms. Hence, it can be expected this development will be based on already existing best practices and approved methods, instead of being started from scratch.
Moreover, publications of official EU-level authorities and several Article 29 Working Party (‘Art 29 WP’) guidelines have provided input on the interpretation of the GDPR, including references to existing commonly acquired technical standards, such as the ISO. Thus the Art 29 WP’s guideline on Data Protection Impact Assessment (‘DPIA’) refers directly to the ISO-standard 31000:2009 as something that has been taken into account when drafting the guidance. Similarly, the European Data Protection Board will have mandate to enforce a technical privacy-enhancing standard on their own initiative.
Hence, a careful estimation is that the currently existing approved mechanisms can be taken into consideration when developing these instruments, enabling business to build upon existing methods, provided they are made GDPR-compliant.
Pros and cons
Prior to embarking on the use of these instruments, it is essential that your organization considers its pros and cons. For smaller companies, the costs can be substantial, as the renewal period is three years. The instrument itself also doesn’t guarantee GDPR compliance on its own - additional measures are needed, and resources required need to be planned accordingly. Also, how the market will react remains to be seen. Thus the concrete added-value for the company will only be known once these mechanisms are implemented.
However, taking into account that consumer expectation upon their privacy has been on the rise, an official indication of GDPR compliance, even of a voluntary nature, enhances consumer trust and competitive advantage. A company which is able to show they have reached a certain level of privacy protection will be an easier choice for consumers as well as for business partners.
In addition, this enables vendors to acquire new businesses in an easier manner as a controller will be more likely to engage with a certified GDPR compliant processor. At the same time, a controller’s choice based on this premise helps to demonstrate all appropriate measures were taken prior to outsourcing the processing of the data. It will be interesting to see how this will play out when the GDPR becomes enforceable, especially if we think about the example of cloud service providers, which many times have unnegotiable service level agreements and thus might benefit from an indication that they are serious about protecting privacy.
Instruments for demonstrating compliance are here to stay, but should be carefully analyzed on a case-by-case basis. That said, if done right, they are an effective and straightforward solution to demonstrate compliance and generate new business opportunities.
How are organisations facing the challenge of complying with the GDPR?
How will international data transfers be impacted by the GDPR?