gdpr-certification

Implementing Data Protection Certification

Overview

Articles 42-43 establish a framework for data protection certification mechanisms, seals, and marks to demonstrate GDPR compliance for processing operations. Certification is voluntary but serves as an accountability tool under Art. 24(3) and can demonstrate sufficient guarantees under Art. 28(5) for processors. Certification does not reduce the responsibility of the controller or processor.

Certification Framework

Art. 42 Key Provisions

• Art. 42(1): Member States, supervisory authorities, the EDPB, and the Commission shall encourage the establishment of certification mechanisms, seals, and marks.
• Art. 42(3): Certification shall be voluntary and available via a transparent process.
• Art. 42(5): Certification is issued by accredited certification bodies or the competent supervisory authority based on criteria approved by the authority or the EDPB.
• Art. 42(7): Certification is issued for a maximum of three years and can be renewed under the same conditions.
• Art. 42(7): Certification shall be withdrawn when requirements are no longer met.

Art. 43 Certification Bodies

• Art. 43(1): Certification bodies must demonstrate independence, expertise, and absence of conflicts of interest.
• Art. 43(3): Accreditation is granted by the supervisory authority or the national accreditation body (per Regulation (EC) No 765/2008).
• Art. 43(6): Accreditation is issued for a maximum of five years and is renewable.

Certification Criteria Development

Certification criteria must address:

1. Processing operations scope: Define which processing activities the certification covers.
2. Compliance requirements: Map certification criteria to specific GDPR articles.
3. Technical measures: Specify the technical controls that must be in place (encryption, access controls, pseudonymisation).
4. Organisational measures: Specify governance, training, documentation, and accountability requirements.
5. Audit methodology: Define how compliance will be assessed (document review, technical testing, interviews).
6. Ongoing compliance: Specify monitoring, reporting, and re-certification requirements.

Available GDPR Certification Schemes

Scheme	Scope	Status
EDPB-approved criteria for Europrivacy	Full GDPR compliance certification	Approved by EDPB (Opinion 28/2022)
ISO/IEC 27701:2019	Privacy Information Management System	Widely available; not a formal GDPR certification but demonstrates compliance
EuroPriSe (European Privacy Seal)	Products, IT systems, and services	Operating since 2008; updated for GDPR
CNIL Certification (France)	DPO competency certification	Approved by CNIL

Implementation Roadmap

Phase 1: Readiness Assessment (Months 1-2)

1. Identify the certification scheme appropriate for the organisation's needs.
2. Conduct a gap assessment against the certification criteria.
3. Prepare a remediation plan for identified gaps.

Phase 2: Implementation (Months 3-6)

1. Implement required technical and organisational measures.
2. Update documentation to meet certification criteria.
3. Conduct internal pre-assessment audit.

Phase 3: Certification Audit (Months 7-8)

1. Engage the accredited certification body.
2. Undergo the certification audit (document review, on-site assessment, technical testing).
3. Address any non-conformities identified during the audit.
4. Receive certification decision.

Phase 4: Maintenance (Ongoing)

1. Implement continuous monitoring aligned with certification requirements.
2. Conduct annual surveillance audits.
3. Prepare for re-certification before the 3-year expiry.
4. Report any material changes to the certification body.