CIPL´s certifications

20. April 2017

On 12 April 2017, a discussion paper on Seals, Marks and Certifications under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms has been released by the Centre for Information Policy Leadership (“CIPL”).

It is regarded as a formal input into that process and contains recommendations on GDPR`s provisions on use of certification mechanisms and their development implementation.

Certifications may be profitable for multinational companies as they may facilitate business arrangements with service providers and business partners. Their comprehensive GDPR compliance structure should also be useful for medium-sized and small enterprises. Their potential to create interoperability with other legal regimes can also be used efficiently.

Namely, the Discussion Paper contains the following:

  • Certification is foreseen to be available for service, system, product and particular process or an entire privacy program
  • Certification should be created for the purpose of data transfers (art. 42 (2)(f))
  • Specific GDPR certification sectors may be covered by a sector-specific codes of conduct
  • Certification proliferation should be avoided in order to make it most wanted
  • Certifications should be adaptable to different contexts, affordable and scalable to the different companies sizes
  • Organization`s BCR approvals should be leveraged in order to achieve the certification
  • There should be created a common baseline certification, which may be directly used
  • Baseline certification should differentiate in its application depending on the certification bodes and processes
  • GDPR certification should be consistent with other certification schemes (the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, Japan Privacy Mark, ISO/IEC Standards, and the APEC CBPR)
  • DPAs should affirm certifications as recognized means of GDPRs compliance