On 27 November 2017, the European Union Agency for Network and Information Security (“ENISA”) published a report on Recommendations on European Data Protection Certification (“Report”). The aim of the Report is to identify and analyse challenges and opportunities of data protection certification mechanisms, as introduced by the General Data Protection Regulation (“GDPR”).
The Report provides an overview of existing data protection certification mechanisms, and looks at the terminology and clarifying concepts that are relevant to GDPR certification, as established in Articles 42 and 43 of the GDPR. The Report also presents research and analysis on various certification schemes, including the ePrivacyseal EU, EuroPrise, CNIL Labels and the ICO Privacy Seal. It further focuses on some of the questions relating to successful take-up of certifications, as well as the role of certification as a transparency and accountability instrument under the GDPR. The Report additionally notes that data protection certification mechanisms under the GDPR are likely to face challenges, given the diversity of existing data protection certifications.
The Report sets out several recommendations that are intended to provide high-level guidance to data protection authorities, certification bodies, and data controllers/processors. The main recommendations include:
- National certification bodies and data protection authorities (“DPAs”), under the guidance and support of the European Commission and the European Data Protection Board (“EDPB”), should adopt a common approach on inception and deployment of GDPR certification mechanisms.
The Report notes that some terms used in the GDPR relating to certification are unclear and may lead to confusion, particularly in sectors where the certification process is already established. This, along with issues that might arise from adopting diverse certification processes, means it is crucial that DPAs adopt a common approach. Further, the Report recommends adopting a common approach regarding the criteria that are approved by DPAs and the EDPB. Procedures are also needed where certifications issued in one EU Member State are used in another Member State. For example, a common register could be set up to list all issued/withdrawn certification mechanisms across EU Member States.
- National certification bodies and DPAs, with the support of the European Commission and the EDPB, should provide guidance and promote best practices to ensure consistency and harmonization in the deployment of GDPR certification mechanisms.
The Report highlights several areas that would benefit from further guidance, including:
– The procedures for mutual recognition by DPAs
– Compatibility of certifications based on international standards (e.g., ISO/IEC) and non-EU certifications with GDPR
– Accreditation models and procedures
– Transparency thresholds and complaints mechanisms
– Further clarity on the common register (e.g., if it is open to the public)
– Common guidelines on procedures that DPAs and the EDPB should follow
– Criteria for certification approved by DPAs and EDPB
– Post-certification surveillance measures
- The European Commission and the EDPB should stimulate the establishment of safeguards that will ensure trustworthiness of the certification process.
The GDPR allows for DPAs to engage with the accreditation and certification processes in different ways, including where DPAs opt for a dual role. This could lead to potential conflicts of interest if the supervisory body is responsible for assessing and issuing certification, while at the same time being entrusted with supervisory powers over the same processing operations of the data controller or processor. The Report therefore recommends that DPAs should not be the sole accreditation and certification body. If they are, safeguards should be in place to avoid function creep (e.g., separating the certification staff from the staff conducting supervisory activities).
- The European Commission and the EDPB should stimulate the establishment of safeguards that will ensure transparency of the certification process.
The Report recommends the promotion of quality certification schemes to prevent the market from being flooded with untrustworthy certifications.
- The EDPB, in close cooperation with national certification bodies and DPAs, should promote an EU scalable approach with approved and widely accepted criteria.
The Report notes that as certification may be a lengthy and costly process, SMEs may choose not to pursue this route because of resource limitations. However, SMEs with low-risk processing operations may benefit from using published approved criteria as a self-assessment tool. Although this would not lead to formal certification, it may still have added value for SMEs, and how they demonstrate compliance to the supervisory authorities.
- The European Commission and the EDPB, in close cooperation with national certification bodies and DPAs, should stimulate the exchange of best practices and lessons learnt from certification practices in other well-established domains (e.g., cybersecurity).
Although the GDPR only provides for certification of processing operations, rather than products or services like, for example, ICT Security schemes, the Report considers that best practice and accumulated experience from other sectors could support the development of certification mechanisms under the GDPR.
Apart from the certification schemes examined in the Report, there are alternative certifications. The three main international standards bodies, the International Organization for Standardization, the International Electrotechnical Commission, and the International Telecommunication Union, recently published a ‘Code of Practice for the Protection of Personally Identifiable Information’. This jointly developed ISO/IEC 29151 | ITU-T X.1058 standard sets out controls which are aimed at minimising the risk for personal data breaches.
The Report provides some helpful analysis of the potential challenges of data protection certification mechanisms under the GDPR. Businesses will no doubt be eager to see how this area develops because, if implemented effectively, there are clear commercial benefits to certification. However, for this to operate as an effective risk management tool while also being a viable commercial proposition, the issues and questions outlined in the Report need to be addressed by DPAs as they develop GDPR data protection certification mechanisms. In that regard, DPAs need to adopt a common approach and mutual recognition, so that businesses operating across the EU can certify to a particular scheme and be confident that this will apply in each jurisdiction. Without such assurances, businesses may choose not to invest time and money in adhering to a certification scheme, and instead focus on other data protection mechanisms or look to alternative certifications. Finally, businesses should bear in mind that despite being a mechanism to demonstrate their processing operations’ GDPR compliance, a certification will not reduce their responsibility to comply with the GDPR.