On 25 May 2020, the European Data Protection Board (EDPB) issued its opinions on draft decisions of certain national supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. This includes opinions on the draft decisions from supervisory authorities in:

  • Finland, Germany, Ireland, and Italy, on the approval of the requirements for accreditation of a code of conduct monitoring body under article 41 of the General Data Protection Regulation (GDPR)
  • The Czech Republic, Germany, and Ireland, on the approval of the requirements for accreditation of a certification body under article 43(3) of the GDPR

Continue Reading EDPB publishes opinions on draft decisions of Data Protection Authorities on the accreditation of certification bodies and code of conduct monitoring bodies

Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.

We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.

ISO/IEC 27701:2019

Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.

Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.

The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.Continue Reading A snapshot comparison of data protection certifications in Singapore

At its eleventh plenary session on 4 June 2019 in Brussels, the European Data Protection Board (EDPB) adopted final versions of (1) the Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679, (2) annex 2 to the Guidelines on certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union.  The Cybersecurity Act will come into force

The UK’s Information Commissioner’s Office (ICO) has published new guidance on certification and codes of conduct for data processing as well as expected timetables for finalising its revised guidelines on these topics.

Certification

Certification is a voluntary mechanism for organisations to validate their compliance with the General Data Protection Regulation 2016/679 (GDPR). Once the submissions

The European Data Protection Board (EDPB) has adopted guidelines in relation to the certification mechanism prescribed under the General Data Protection Regulation 2016/679 (GDPR). The EDPB guidelines are aimed at supervisory authorities and certification bodies and provide helpful insight into the requirements and criteria relevant to all types of certification mechanisms issued under articles 42 and 43 of the GDPR.

Certification

The EDPB, supervisory authorities and certification bodies are required to encourage certification mechanisms and data protection seals and marks. Although these terms are not defined under the GDPR, it is clear that they intend to mark the approval of GDPR compliance in relation to specific processing operations carried out by a controller or processor. Once certified, the organisation may display a seal or mark to demonstrate its compliance.

The certification mechanism is recognised as an appropriate safeguard. Restricted transfers can therefore be made to an organisation if that organisation has received a certification, providing the organisation makes binding and enforceable commitments to apply the appropriate safeguards. The EDPB plans to issue further guidance on these required commitments.

Continue Reading EDPB issues guidelines on GDPR certification

The Article 29 Working Party (WP29) published a consultation on guidelines for the accreditation of certification bodies under the General Data Protection Regulation (GDPR), which closed at the end of March.

The consultation guidelines would require a certification body under the GDPR to be accredited by either the competent supervisory authority or the national accreditation body, or both. The guidelines aim to establish a harmonised baseline for certification.

General overview

In brief, the guidelines:

  • set out the purpose of accreditation and include a list of definitions;
  • explain routes to accredit certification bodies;
  • give a framework for additional accreditation requirements, when accreditation is handled on the national level;
  • stress they are not a procedural manual, or a new technical standard;
  • highlight that the final form document will include an annex outlining a framework for identifying accreditation criteria.

Continue Reading Article 29 Working Party consultation on guidelines for accrediting certification bodies under the GDPR

On 27 November 2017, the European Union Agency for Network and Information Security (“ENISA”) published a report on Recommendations on European Data Protection Certification (“Report”). The aim of the Report is to identify and analyse challenges and opportunities of data protection certification mechanisms, as introduced by the General Data Protection Regulation (“GDPR”).

The Report provides an overview of existing data protection certification mechanisms, and looks at the terminology and clarifying concepts that are relevant to GDPR certification, as established in Articles 42 and 43 of the GDPR. The Report also presents research and analysis on various certification schemes, including the ePrivacyseal EU, EuroPrise, CNIL Labels and the ICO Privacy Seal. It further focuses on some of the questions relating to successful take-up of certifications, as well as the role of certification as a transparency and accountability instrument under the GDPR. The Report additionally notes that data protection certification mechanisms under the GDPR are likely to face challenges, given the diversity of existing data protection certifications.

The Report sets out several recommendations that are intended to provide high-level guidance to data protection authorities, certification bodies, and data controllers/processors. The main recommendations include:
Continue Reading ENISA publishes report on recommendations for data protection certification mechanisms under the GDPR

As part of its GDPR Implementation Project, the Centre for Information Policy Leadership (‘CIPL’) has released a discussion paper on certifications, seals and marks. The paper stresses the benefits of certifications that can be adapted to different companies and contexts, all while retaining common cross-border baselines. As no such measure is currently in place ahead