Since the EU General Data Protection Regulation came into force in May 2018, there hasn’t yet been a way to prove compliance with it. Until now. Luxembourg’s GDPR-CARPA is the first officially recognised certification scheme to be adopted under the regulation. It’s surprising that such a significant development hasn’t received more attention, given the discourse around GDPR certification schemes. It’s potentially a game changer. At last, consumers and organisations can have independently verifiable assurance of an entity’s commitment to data privacy.
Before getting to the detail of this breakthrough, let’s quickly recap. The GDPR was always intended to lead to compliance schemes that could independently certify how an organisation processes personal data, along with appropriate controls and measures. Articles 42 and 43 refer to this.
So why has it taken this long for a GDPR certification scheme to launch? Personally, I am glad that Europe has taken a slow but methodical approach. Schemes need to be robust and well planned, as they are essential to giving independent proof, or ‘assurance’ in certification language. The regulation is still in its infancy and certification mechanisms were always expected to emerge once the regulation began to mature and become more embedded.
Which brings us to Luxembourg. Its GDPR-CARPA (Certified Assurance Report Based Processing Activities) is the first and so far the only certification scheme to be adopted under the GDPR.
Companies, public authorities, associations, and other organisations (that is, data controllers and processors) established in Luxembourg will now be able to demonstrate that their data processing activities comply with the GDPR.
The criteria for certification
The criteria are divided into three sections. The first relates to data governance within the applying entity (e.g., policies and procedures, records of processing activities, data subjects’ rights, data protection officer, recording and reporting of data breaches etc.). The second relates to entities acting as data controllers to check compliance with the main data protection principles under article 5 GDPR. Finally, the third section relates only to entities acting as data processors (contracts with controllers and subcontracting, security, transfer of personal data to third countries).
The GDPR-CARPA certification scheme doesn’t focus on a specific sector or type of processing. Nor is it suitable in all cases. Some exceptions include certifying the processing of personal data specifically targeting minors under the age of 16, processing personal data relating to criminal convictions and offences, or for entities that haven’t formally appointed a data protection officer.
It is also worth highlighting the EDPB’s note that certification does not prove compliance in and of itself – although it forms an element that can be used to show compliance.
However, the EDPB also notes a unique feature of the scheme. It’s based on an ISAE 3000 Type 2 report that allows for the issuing of an opinion on the correct implementation of the control mechanism, while the auditor is formally held responsible. “This guarantees a high level of confidence – a key factor in building trust in the processing of personal data covered by the certification scheme,” the EDPB said.
Why GDPR certification matters
Certification schemes are important for two key reasons. Firstly, they are a public-facing accountability instrument. Becoming certified helps to demonstrate that controllers and processors’ processing operations comply with a regulation’s requirements (GDPR, in this case.) It can promote transparency and allow data subjects to better determine the degree of protection offered by services, processes, or systems used or offered by the organisations that process their personal data.
Another equally important benefit is to mitigate the risk of organisations offering ‘GDPR certified’ services or offering ‘GDPR compliant’ applications. Today, many organisations make these claims without having valid mechanisms or adequate qualifications to back them up. As a data protection professional, this is one aspect of certification I am particularly keen to see addressed.
A tipping point for certification
Luxembourg’s CARPA is a wonderful step in the right direction. In fact, I’m surprised that the online discourse about it has been so quiet. I expect to see a ripple of certification schemes appear across jurisdictions over the course of the next year. Others are incubating right now. For instance, BH Consulting is currently working with the Europrivacy Consortium to develop the Europrivacy Certification. With CARPA and other schemes like it, finally, consumers and organisations will quickly be able to determine:
- if an organisation is the correct fit for them
- if that organisation’s values towards privacy align with their own
- if its process complies with the GDPR (making third party agreements and DPAs so much easier in the future).
To realise the potential value that GDPR certifications have for both data subjects and organisations, think of the positive influence that mandatory nutritional labels on food had on consumer rights, health and wellbeing. For the first time they empowered consumers to determine if a product was right for them, by evaluating the contents of the label. (It’s arguable that consumers know more about carbs, sugars and proteins than they do about data protection rights. But an excellent paper discussing a GDPR privacy label offers a possible solution to this.)
Just as the nutritional label was a game changer in terms of consumer awareness and consumer choice, so too I expect certification will be in terms of data protection. It excites me to think we’re so close.
Dr Valerie Lyons is chief operations officer at BH Consulting