As part of its GDPR Implementation Project, the Centre for Information Policy Leadership (‘CIPL’) has released a discussion paper on certifications, seals and marks. The paper stresses the benefits of certifications that can be adapted to different companies and contexts, all while retaining common cross-border baselines. As no such measure is currently in place ahead of the GDPRs adoption, the paper intends to: (i) facilitate the development of certifications; (ii) envisions what would work best in practice; (iii) and sets out what will be required to achieve GDPR-compliant certification mechanisms.
A useful feature of the paper is that it identifies the benefits of certifications from individuals, controllers and data protection authorities (‘DPAs’) perspective, which allows entities considering certification to see the benefits from all points of view.
The core of the certification network, according to the paper, would be an EU-wide certification standard. While the paper is very comprehensive, what appears to be missing is exactly how realistic it is that such a standard can be developed. The CIPL does, however, acknowledge that an ideal GDPR certification would be interoperable with other similar mechanisms, such as ISO standards, the EU-U.S. Privacy Shield, and the Japan Privacy Mark. The paper has very strong arguments for how the system could work in practice but, in order to implement such wide-ranging, cross-border standards, it will likely take years of development, as well as substantial resource from all stakeholders involved. The benefits, however, are substantial, creating the potential for a wholly positive data protection environment to work towards.
Some key points from the paper are as follows:
- Certifications, seals, and marks, could potentially allow companies to demonstrate “organisational accountability” in respect of GDPR compliance;
- Certified organisations would be seen by DPAs as having a lower risk profile, thus potentially reducing the need for data protection impact assessments;
- Business-to-business due diligence process may be streamlined; and
- The workload of DPAs could be reduced, as certification bodies may take the burden of supervision and oversight, and due to enhanced compliance processes, enforcement burdens and complaint handling would reduce.