On September 20, 2017, the French Data Protection Authority (CNIL) announced that it has updated two standards on privacy seals in order to take into account the requirements of the EU General Data Protection Regulation (“GDPR”).
The CNIL may issue privacy seals, which is issued with regard to a referential or standard adopted by the CNIL (i.e., a list of requirements that the product or procedure must satisfy in order to obtain the privacy seal). So far, the CNIL has adopted four standards, namely a standard on audit procedures covering the processing of personal data, a standard on data protection training programs, a standard on “digital safe boxes” and a standard on data privacy governance procedures. The CNIL has issued 123 privacy seals since 2012 (including 30 privacy seal renewals).
The updated standards include the standard on data protection training programs and on data privacy governance procedures. According to the CNIL, the updated standards are accountability tools that help organizations demonstrate compliance with the GDPR. In particular, the updated standard on governance procedures serves as a roadmap for ensuring and demonstrating compliance with the GDPR, while the updated standard on training programs allows for proposed training courses on the GDPR even before the GDPR is applicable. The CNIL will update the other standards by the end of 2017.
Privacy seals issued with regard to the previous version of the standards will remain valid until May 25, 2018, when the GDPR becomes effective. Organizations must re-apply for the privacy seal they have already obtained in order to continue benefiting from the privacy seal after that date. The CNIL will issue the new privacy seals for a period of three years.