On April 12, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms (the “Discussion Paper”). The Discussion Paper sets forth recommendations concerning the implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions on the development and use of certification mechanisms. The GDPR will become effective on May 25, 2018. The EU Commission, the Article 29 Working Party, individual EU data protection authorities (“DPAs”) and other stakeholders have begun to consider the role of GDPR certifications and how to develop and implement them. CIPL’s Discussion Paper is meant as formal input to that process.
Certifications, seals and marks have the potential to play a significant role in enabling companies to achieve and demonstrate organizational accountability and GDPR compliance for some or all of their services, products or activities. The capability of certifications to provide a comprehensive GDPR compliance structure will be particularly useful for small and medium-sized enterprises. For large and multinational companies, certifications may facilitate business arrangements with business partners and service providers. In addition, certifications, seals and marks can be used as accountable, safe and efficient cross-border data transfer mechanisms under the GDPR, provided they are coupled with binding and enforceable commitments. Finally, there is potential for creating interoperability with other legal regimes, as well as with similar certifications, seals and marks in other regions. Thus, as explained in the Discussion Paper, certifications may present real benefits for all stakeholders, including individuals, organizations and DPAs.
To reap the full benefit of certifications, however, according to CIPL, it is crucial that certifications are efficiently operated, incentivized and clearly accompanied by benefits for certified organizations. Otherwise, organizations will be reluctant to invest time and money in obtaining and maintaining GDPR certifications.
The Discussion Paper contains the following “Top Ten” messages:
- Certification should be available for a product, system, service, particular process or an entire privacy program.
- There is a preference for a common EU GDPR baseline certification for all contexts and sectors, which can be differentiated in its application by different certification bodies during the certification process.
- The EU Commission and/or the European Data Protection Board (“EDPB”), in collaboration with certification bodies and industry, should develop the minimum elements of this common EU GDPR baseline certification, which may be used directly, or to which specific other sectoral or national GDPR certifications should be mapped.
- The differentiated application of the common EU GDPR certification for specific sectors may be informed by sector-specific codes of conduct.
- Overlap and proliferation of certifications should be avoided so as not to create consumer/stakeholder confusion or make it less attractive for organizations seeking certification.
- Certifications must be adaptable to different contexts, scalable to the size of the company and nature of the processing, and affordable.
- GDPR certifications must be consistent with, and take into account, other certification schemes and be able to interact with or be as interoperable as possible (this includes ISO/IEC Standards, the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, APEC CBPR and the Japan Privacy Mark).
- The EU Commission and/or the EDPB should prioritize developing a common EU GDPR certification for purposes of data transfers pursuant to Article 46(2)(f).
- Organizations should be able to leverage their BCR approvals to receive or streamline certification under an EU GDPR certification.
- DPAs should incentivize and publicly affirm certifications as a recognized means to demonstrate GDPR compliance, and as a mitigating factor in case of enforcement, subject to the possibility of review of specific instances of noncompliance.
The Discussion Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 70 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.