The Article 29 Working Party (WP29) published a consultation on guidelines for the accreditation of certification bodies under the General Data Protection Regulation (GDPR), which closed at the end of March.
The consultation guidelines would require a certification body under the GDPR to be accredited by either the competent supervisory authority or the national accreditation body, or both. The guidelines aim to establish a harmonised baseline for certification.
In brief, the guidelines:
- set out the purpose of accreditation and include a list of definitions;
- explain routes to accredit certification bodies;
- give a framework for additional accreditation requirements, when accreditation is handled on the national level;
- stress they are not a procedural manual, or a new technical standard;
- highlight that the final form document will include an annex outlining a framework for identifying accreditation criteria.
What is ‘accreditation’?
Accreditation would result in “an attestation by a national accreditation body and/or by a supervisory authority, that a certification body is qualified to carry out certification pursuant to article 42 and 43 GDPR, taking into account EN-ISO/IEC 17065/2012 [ISO 17065] and the additional requirements established by the supervisory authority and or by the Board.” Its purpose is to provide an authoritative statement of competence to perform certification. WP29 has since called for this ISO certification standard to be made publicly available free of charge.
Accreditation and Article 43(1) GDPR
Member states must ensure certification bodies are accredited, but they have the flexibility to determine who should be responsible for conducting the assessment. Member state law may be used for clarification as to which entity should bear this responsibility. Where a member state requires certification bodies to be accredited by:
- the supervisory authority – the authority should establish accreditation criteria, including (but not limited to) the requirements set out in Article 43(2). The guidelines recommend the criteria be guided by ISO 17065.
- national accreditation bodies – the supervisory authority should establish additional requirements which complement existing accreditation convention set out in Articles 3 –14 of Regulation (EC) 765/2008 and the technical rules covering the methods and procedures of certification bodies. Criteria or requirements approved by a supervisory authority should also be published and available to the public to promote transparency.
The guidelines address potential conflicts of interest within a supervisory authority and give an example of where a supervisory body and other certification bodies co-exist in a member state issuing the same range of certifications.
WP29 has stated that the final iteration of the guidelines will include an annex, setting out how to identify additional accreditation criteria, as well as further details on GDPR compliance by supervisory authorities and national accreditation bodies. The guidelines highlight WP29’s focus on certification bodies achieving an appropriate level of expertise in data protection – in accordance with Article 43(1) of the GDPR – and being able to respect the rights given to individuals in the GDPR.
Once finalised, the guidance should become a helpful tool for both organizations seeking to become a certified body, and for those companies which seek to obtain such certification. We expect there to be some time lag, however, between the finalised guidance and the ability of a supervisory authority or other certification bodies to obtain accreditation, and a further lag before organisations are able to seek a certification under the GDPR.