The European Commission (the “Commission”) has released a long-awaited study on GDPR data protection certification mechanisms (the “Study”). As we previously reported, the Commission announced its intention to look into GDPR certifications in January of 2018.

The GDPR empowers the Commission to adopt delegated and implementing acts regarding certifications to specify the requirements and lay down technical standards for certification mechanisms.

The 255-page Study aims to support the establishment of certifications and seals under Articles 42 and 43 of the GDPR, and seeks to accomplish three specific objectives: (i) explain the different terms contained in Articles 42 and 43 of the GDPR; (ii) map data protection certification schemes and related technical standards and analyze 15 select certification schemes; and (iii) provide recommendations for certification criteria, additional requirements for the accreditation of certification bodies, technical standards for certification and data protection seals and marks and possible safeguards with respect to data transfers.

The Study’s key takeaways include:

  • The GDPR, while making clear the object of certification, does not limit the subject matter to one specific area—potentially covering the full spectrum of a controller or processor’s GDPR obligations.
  • Valuable insight can be gained from analyzing existing certifications, assessment methodologies, contractual arrangements and audit processes in other industries.
  • Data protection authorities will need to rely on guidance and knowledge from other fields, including technical standards to assess certification criteria in the data protection sphere.
  • Several challenges around harmonization may arise if EU Member States adopt different accreditation models (e.g., lack of recognition of certification across EU Member States, inconsistent auditing techniques, etc.)
  • There is a structural lack of knowledge in the market regarding available technical standards relevant to data protection.
  • To promote standardization of the GDPR certifications, the EU should maintain its focus on European and international standards over national ones.
  • Despite variations between the substantive requirements of the GDPR and existing non-GDPR certifications like the APEC Cross-border Privacy Rules, such certifications provide a good example on how to set up oversight mechanisms.

Certifications continue to be a developing area under the GDPR. To read more about the Commission’s findings as well its other recommendations, please view the full Study.