On July 10, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on May 25, 2018, for public consultation.

CIPL highlights in its comments that in order to achieve the goals of certifications under the GDPR (i.e., to use certifications as an accountability tool to demonstrate compliance and as a cross-border data transfer mechanism), certification mechanisms should be based on a harmonized EU-wide minimum GDPR certification standard or template which is adaptable to different contexts. Such a baseline standard will enable both EU-wide general GDPR certifications as well as more narrow GDPR certifications customized for specific products, services, processes, industry sectors and/or jurisdictions. CIPL recommends that the EU-wide baseline standard should be developed by the European Commission and/or the EDPB in collaboration with certification bodies and industry.

In addition to basing GDPR certifications on a harmonized EU-wide minimum GDPR certification standard, CIPL underlines in its comments that certification mechanisms should:

  • permit the certifying of entire organizational privacy management programs, in addition to specific products, services and processes;
  • enable interoperability as much as possible with other, similar EU accountability schemes as well as other certification schemes in other countries and regions, such as the APEC Cross-Border Privacy Rules ( “CBPR”) and Privacy Recognition for Processors (“PRP”);
  • be construed on the basis of a holistic approach which enables both national or EU compliance and cross border compliance as part of one set of certification criteria.

To read the above recommendations in more detail, along with CIPL’s other recommendations on certification and identifying certification criteria in accordance with articles 42 and 43 of the GDPR, view the full paper.

These comments follow CIPL’s related consultation response to the Article 29 Working Party’s Draft Guidelines on the Accreditation of Certification Bodies under the GDPR.

CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 92 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics prioritized by the EDPB.