All you need to know about GDPR certification

The European General Data Protection Regulation, known by the public as GDPR, is the European regulation that sets the rules to be respected when processing personal data in Europe or collected from Europe. The GDPR applies to companies located outside of Europe if they process data collected in Europe. Non-compliance with the GDPR can lead to substantial fines, up to 4% of the worldwide turnover off the non-complying company (Art. 87 GDPR).

GDPR

How to choose your GDPR Certification ?

How to obtain a GDPR Certification ?

Benefits of a GDPR Certification

What is a GDPR Certification and the European Data Protection Seal?

GDPR Compliance The GDPR makes over 70 references to certification. As stated in its recital 100 and Art. 42, the certification aims at supporting compliance and allowing to easily assess if a service or product is complying with the regulation. It is applicable to any data processing activity that involved personal data and is processed by a data Controller or Processor. Companies can apply to GDPR certification regardless of their location. However, in countries that do not protect and respect the privacy of their citizens, certification may not be achievable.
GDPR sets three major conditions for a GDPR certification to be recognized and have validity under the GDPR:
  1. The scope of certification must be focused on data processing activities. As a consequence, management system certifications, such as ISO/IEV 27001 and 27701 are not eligible under the GDPR.
  2. The criteria must have been approved by the European Data Protection Board.
  3. The certification must be delivered by a certification body that has received an accreditation under Art. 43 GDPR.

The GDPR distinguishes two categories of certifications:
  • National certification criteria that are applicable only in one of the EU/EEA Members State.
  • The European Data Protection Seal whose criteria are recognized by the 30 EU and EEA Member States.

The list of officially recognised criteria (national ones and European seal) are published on the EDPB website.

Why considering an official GDPR Certification?

A GDPR certification brings several advantages

See the benefits

How to choose your GDPR certification?

You should consider the following criteria:

1. Is the certification scheme officially recognised by EDPB?

If not, your certification will be purely informative but it will have no legal value under the GDPR.

2. Is the certification scheme applicable to both data controllers and processors?

Otherwise, you may end up using two different schemes when acting as a controller and when acting as a processor.

3. Are your data processing activities limited to a single EU/EEA country?

If yes, you can opt for a national certification. If not, you should opt for the European Data Protection Seal.

4. Is it comprehensive with the GDPR obligations?

If the criteria you use assess only part of the obligations (i.e. not assessing the lawfulness of the processing or the cross-border data transfers) you may end up with a misleading certification with blind spots in terms of compliance.

5. Can you choose among several service providers?

If not, you may end up in a business lock-in with non-competitive costs and lower quality of service.

6. What is the geographic scope of the certification in terms of certification recognition?

You can also use the formal GDPR Certification Scheme Assessment Methodology presented on the European Centre for Certification and Privacy website: https://eccpcentre.com/csam

How to obtain a GDPR Certification?

In principle, a GDPR certification will focus on your compliance with the law.

The first thing to do, regardless of any certification, is to ensure that you comply with the GDPR. You can focus your effort on your priority data processing activities.
Once you have selected the data processing activities you want to certify, there are two main approaches:

  • Using qualified service providers
  • Preparing it yourself

In both cases, you need to document the compliance of the selected data processing with the criteria. You can take advantage of qualified solution providers to accelerate and ease the documentation process.
Once the compliance has been documented, you need to request offers and select a qualified certification body to audit your compliance.

After auditing and verifying the compliance of the target of evaluation, the certification body will decide to deliver a certificate of compliance valid for three years, renewable.
In the case of the European Data Protection Seal Europrivacy, the certificates are published in the online Europrivacy registry of certificate that allows to verify the validity and authenticity of delivered certificates.

How much do you need to invest and what is the return on investment?

The largest effort is before the certification starts, by ensuring your data processing complies with the regulation. The required investment for a certification varies according to several factors:

  • Whether you outsource the documentation of compliance with the official criteria;
  • If you can choose among several service providers;
  • The complexity of your data processing;
  • The GDP per capita of your country.

If a data processing is well documented with the criteria, the work of the certification body can be less than a week per certificate. The best approach is to request offers from qualified service providers.

A certification enables to substantially and effectively reduce legal, financial and reputational risks. The Europrivacy website provides a tool to assess the saving and return on investment of your GDPR certification: https://europrivacy.com/en/resource/gdpr-estimator

How much to invest ?

Benefits of a GDPR Certification

Document, demonstrate, and communicate your compliance

Reduce your legal, financial and reputational risks

Value compliance with a competitive advantage

Contribute to better protect personal data and data subject rights

Assess the adequacy of the technical and organisational measures in place

Facilitate Data Transfers (Art. 46 GDPR)

Comply with Data Protection by Design and by Default (Art. 25 GDPR)

Reduce risks with data processors (Art. 28 GDPR)

Online resources

GDPR Compliance

Official GDPR Certification Schemes

→ Europrivacy official website: https://europrivacy.com

→ Europrivacy Online Academy: https://academy.europrivacy.com

→ Europrivacy Community and Resources website: https://community.europrivacy.com

→ List of official Europrivacy partners (implementers, certification bodies and solution providers): https://europrivacy.com/en/partners/list

→ Official registry of Europrivacy certificates: https://europrivacy.com/en/resource/registry

→ GDPR regulation: https://eur-lex.europa.eu/eli/reg/2016/679/oj

→ European Data Protection Board website: https://www.edpb.europa.eu/edpb_en

Frequently Asked Questions

It is a certification that aims at demonstrating the compliance of personal data processing activities with the GDPR. To be valid and recognised by the EU/EEA authorities, a GDPR certification must be delivered by a certification body that has been accredited under Art. 43 GDPR with criteria officially approved by EDPB under Art. 42 GDPR.

Mainly to reduce your risks and value your compliance. It is a strong positioning in favour of personal data protection and regulatory compliance for all stakeholders.

You can contact qualified service providers to help you document your compliance with the criteria of the certification or directly a qualified certification body if you have already completed your documentation of compliance. You can also learn and become qualified expert with the Europrivacy online academy.

Yes, you can use the officially approved criteria to document your compliance with the regulation. You can then decide at a later stage to opt for a formal certification.