Earlier this month, the CNIL announced that CNIL labels would now be available for two categories with respect to processing of personal data:
i) data privacy audit procedures, and
ii) data privacy professional training.
The labels signify to the public that the product or process offered meets the requirements of the CNIL in terms of quality and compliance.
The CNIL had the possibility of issuing labels on products or procedures to mark their compliance with the Data Protection Act as far back as 2004. However, because of logistical problems, the CNIL was not able to deliver such labels. The law of 13 May 2009 removed such barriers. Moreover, Decision 2011-249 of 8 September 2011 modified the CNIL’s internal regulations and paved the way for products and procedures to receive a label as a seal of approval.
The process for obtaining the label involves setting up an application file evidencing compliance with a full set of specifications ranging from knowledge and capacity to comply with the French Data Protection Act, to high-quality standards.
As a result, the CNIL has worked, for data privacy audit procedures, on the ISO 19011 Norm.
The CNIL will have two months to consider an application for a label. The cost of the application and any amendments are not known yet.
If awarded, the label will be valid for three years and the company can display the label logo.
Refusal to issue or withdrawal of the label does not mean that the applicant is in breach of the Data Protection Act. It just means that the product or process does not accord with the requirements of the CNIL in order to obtain a label.
As data security and data protection compliance becomes more prominent, the CNIL label could be seen as a notable competitive advantage in the market in these two areas.