GDPR certification: What is it, and do you need it?
How the ICO will measure GDPR compliance, and whether a certificate means anything
Many businesses felt that preparing for the General Data Protection Regulation (GDPR) was a stressful ordeal, with the strict new data protection regulations making all kinds of demands from businesses. While some organisations only needed to make minor tweaks to their operations, for some, major overhauls in their approach to data collection and processing were in order.
Several years following the rollout, UK organisations are still striving for full compliance, with a general acceptance that this is a journey and not an easy feat by any means. This fact is something the UK’s data regulator, the Information Commissioner's Office (ICO) accepts.
Businesses, nevertheless, were approached by a series of firms in advance of GDPR’s introduction, pledging expertise on data protection and privacy law. Not only that, but many were also marketing products and software packages that promised their prospective clients full GDPR compliance.
Taking them up on the offer may have seemed tempting, if not the right thing to do, considering the concerns about potentially huge fines for falling short. We must stress, however, that GDPR compliance isn’t something that you can purchase or fully outsource, and there’s no one quick fix to ensuring you won’t find yourself on the wrong side of the law.
While it’s perfectly reasonable, and indeed very wise, to seek external advice, there is no silver bullet to GDPR compliance. The ICO has previously said that it’s working on generating an index of approved schemes or accreditation bodies, and work picked up on this process last March. Any such approved body will be able to issue organisations with the certification that shows they comply with GDPR legislation for a period of three years before needing to be renewed. According to the EU, this will likely be called 'the European Data Protection Seal'.
However, until these plans are finalised, you should be cautious about taking up anybody’s offer when it comes to offering GDPR compliance certification.
Data protection lawyer Dai Davis, of Percy Crow Davis & Co law firm, says: "Organisations simply need to comply with the GDPR (or at least try to). In any event, there is no certifying body. You don't need to prove compliance... you simply have to be compliant."
Of course, the ICO may audit organisations' compliance, and certainly will in the case of a breach, so it pays to be able to demonstrate that you abide by the legislation. So the question becomes, how can you do this?
How can you demonstrate GDPR compliance?
Corporate and commercial solicitor at Kirwans law firm, James Pressley, tells IT Pro there are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
- Internal policies and procedures that comply with the GDPR's requirements
- The implementation of the policies and processes into the organisation's activities
- Effective internal compliance measures
- External controls
"All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance," Pressley explains.
In addition, data controllers (the company ultimately using rather than simply processing personal data) must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
Controllers must also embed privacy measures into corporate policies and everyday activities that concern personal data.
Not only must they document their privacy measures and keep records of compliance, but they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
How will the ICO measure compliance?
The ICO - and any other EU member state data protection authority - would consider whether your organisation is compliant with the points above, though it's probably wise to hire a legal specialist to guide you through the specifics to ensure you understand them fully.
Davis explains: "The GDPR is holistic: you have to comply with all aspects of the GDPR."
While there may be some debate as to whether a data protection policy is adequate, Pressley adds: "Past experience would suggest that the ICO requires full compliance with legislation and is unlikely to accept poor documentation or implementation."
Both lawyers make the point that when it comes to audits, firms suffering security breaches will be the ICO's first port of call.
"In practice [the ICO will measure compliance] by (a) becoming aware of organisations suffering from public breaches and (b) auditing organisations - especially those falling into the former category," Davis says.
Pressley agrees, stating: "There will be a lot of non-compliance, which will be obvious. There will be some major problems such as security breaches, in which case the organisation's policies and practices will be examined closely."
Are any GDPR certification schemes worth the money?
In short, no - certainly not if you're looking for a certificate demonstrating compliance. As mentioned above, there are currently no bodies empowered to audit and certify GDPR compliance.
Those that claim to exist will say their certification is valid for GDPR, but in fact, they're often based on the National Cyber Security Centre's Cyber Secure standard, Pressley says. That means organisations who undertake their courses may still be found non-compliant by the ICO.
However, Pressley also said the ICO had intended to approve accredited UK bodies proper certification by spring 2018, just ahead of GDPR came into force. This did not materialise, and the ICO hasn't yet launched any scheme to date.
But Davis adds that existing schemes, if using the GDPR legislation as their basis, may have some value: "The more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant."