GDPR certification: What is it, and do you need it?
How the ICO will measure GDPR compliance, and whether a certificate means anything
Preparing for the arrival of the General Data Protection Regulation was, for some companies, a difficult and anxiety-inducing task. The new regulations required businesses rethink their approaches to data collection and justify their reasons for processing information.
Businesses across the UK are still struggling to find their feet in the ongoing compliance process, and it's fair to say that for the majority of organisations, particularly those with extensive operational histories, 100% compliance is unlikely - something which the Information Commissioner's Office is sympathetic to.
Yet, in the build-up to GDPR, many businesses were inundated with messages from companies claiming to be experts in data protection and privacy law, offering everything from advice to software packages that promised to deliver full GDPR compliance.
The anxiety of adhering to new regulations, coupled with the prospect of huge fines for non-compliance, created the perfect opportunity for so-called experts to exploit the situation.
Let's be clear - you can't buy GDPR compliance off the shelf, and there is no single package that will help you avoid the gaze of the ICO. Although it is a good idea to get some advice from a GDPR expert, none of the courses touted as making your company GDPR compliant will actually do so.
The ICO has said it plans to release a list of approved schemes or accreditation bodies later in 2019 but, until then, you should be wary of any company claiming to offer any form of GDPR compliance certification.
Any such approved body will be able to issue organisations with the certification that shows they comply with GDPR legislation for a period of three years before needing to be renewed. According to the EU, this will likely be called 'the European Data Protection Seal'.
Data protection lawyer Dai Davis, of Percy Crow Davis & Co law firm, says: "Organisations simply need to comply with the GDPR (or at least try to). In any event, there is no certifying body. You don't need to prove compliance... you simply have to be compliant."
Of course, the ICO may audit organisations' compliance, and certainly will in the case of a breach, so it pays to be able to demonstrate that you abide by the legislation. So the question becomes, how can you do this?
How can you demonstrate GDPR compliance?
Corporate and commercial solicitor at Kirwans law firm, James Pressley, tells IT Pro there are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
- Internal policies and procedures that comply with the GDPR's requirements- The implementation of the policies and processes into the organisation's activities- Effective internal compliance measures- External controls
"All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance," Pressley explains.
In addition, data controllers (the company ultimately using rather than simply processing personal data) must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
Controllers must also embed privacy measures into corporate policies and everyday activities that concern personal data.
Not only must they document their privacy measures and keep records of compliance, but they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
How will the ICO measure compliance?
The ICO - and any other EU member state data protection authority - would consider whether your organisation is compliant with the points above, though it's probably wise to hire a legal specialist to guide you through the specifics to ensure you understand them fully.
Davis explains: "The GDPR is holistic: you have to comply with all aspects of the GDPR."
While there may be some debate as to whether a data protection policy is adequate, Pressley adds: "Past experience would suggest that the ICO requires full compliance with legislation and is unlikely to accept poor documentation or implementation."
Both lawyers make the point that when it comes to audits, firms suffering security breaches will be the ICO's first port of call.
"In practice [the ICO will measure compliance] by (a) becoming aware of organisations suffering from public breaches and (b) auditing organisations - especially those falling into the former category," Davis says.
Pressley agrees, stating: "There will be a lot of non-compliance, which will be obvious. There will be some major problems such as security breaches, in which case the organisation's policies and practices will be examined closely."
Are any GDPR certification schemes worth the money?
In short, no - certainly not if you're looking for a certificate demonstrating compliance. As mentioned above, there are currently no bodies empowered to audit and certify GDPR compliance.
Those that claim to exist will say their certification is valid for GDPR, but in fact, they're often based on the National Cyber Security Centre's Cyber Secure standard, Pressley says. That means organisations who undertake their courses may still be found non-compliant by the ICO.
However, Pressley also said the ICO intended to approve accredited UK bodies proper certification by spring 2018, just ahead of GDPR came into force. This did not materialise, and the ICO currently has no plans to provide its own certification.
But Davis adds that existing schemes, if using the GDPR legislation as their basis, may have some value: "The more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant."