GDPR has needed a centralized assessment and certification model for some time now. Still, with the plethora of certifications and standards covering different business contexts, there has yet to be a single approach that has risen to the top of the heap. However, the governing bodies of GDPR have authorized the new Europrivacy standard to forego this certification balkanization in favor of a new, hybrid process.
Europrivacy and the Certification Process
Europrivacy is the newest GDPR assessment and certification standard and looks to become a significant force in the industry. Currently, several different assessment bodies may handle GDPR certification. These include:
- EuroPriSe: This organization is currently the primary certification group under the GDPR Security Directive. This organization conducts independent audits of IT processes and products and awards seals of approval upon successful assessment. These seals are good for two years before re-assessment is required.
- ISO 27001: The International Organization for Standardization updates and maintains the ISO 27001 series, a collection of documents focused on IT security, security practices, and organizational risk management. While the ISO 27001 standard is not mandatory for any industry or jurisdiction, the 27001 standard is considered sufficient for GDPR compliance.
- TRUSTe: This organization supports US companies that seek GDPR compliance for their business operations in the EU.
Europrivacy can potentially render many of these secondary certifications unnecessary by serving as a centralized model for GDPR compliance both inside and outside the EU.
So, what does Europrivacy look like? According to their overview pages, they begin with a basic certification process broken into three steps:
- Document Preparation: Following the Europrivacy Welcome Pack, the business should review and prepare documentation to demonstrate their GDPR compliance. The business will also look for qualified partners to help with the process. These partners are accredited under Article 43 of GDPR standards.
- Certification: Working with a certification body (that is, a qualified partner), your organization must demonstrate that your data processes comply. Authorization for this assessor must come through the European Centre for Certification and Privacy (ECCP) and a “competent national authority.”
- Maintenance: Your organization must also maintain compliance year after year. This includes staying on top of changes to Europrivacy standards and undergoing annual audits.
The Hybrid Europrivacy Certification Model
To structure the program itself, the ECCP provides a hybrid certification model that combines a focus on core GDPR criteria and local, contextual factors that an organization may have to meet.
GDPR Core Criteria
The heart of the Europrivacy standard is its adherence to the GDPR core criteria, or critical aspects of the law, to which the organization’s data processing infrastructure must adhere.
These criteria are:
- Lawfulness of Data Processing: The assessed data processes must adhere to the lawfulness requirements of GDPR, including clearly stating the purpose of the data processing, sticking to that stated purpose, and providing needed transparency into the process.
- Special Data Processing: GDPR defines special forms of data that require different or more secure forms of security. This includes data on race, ethnic origin, healthcare data, biometrics, genetic information, or identification of several other social categories (sexual orientation, political opinion, religion, union membership, or philosophical beliefs).
- Rights of the Data Subject: The organization must demonstrate that it can respond to the rights of data subjects, including rights to information disclosure, correct incorrect data, and the right to delete information (the right to be forgotten).
- Data Controller Responsibility: “Data controllers” are businesses that make decisions about data collection and processing–what it’s for, how it is stored and used, and how those processes meet GDPR standards. The primary role of a data controller is to ensure this compliance in all regulated processes.
- Data Processors and Subprocessors: “Data processors” are organizations or IT systems that directly store or process data (and this category can often overlap with the data controller category). These organizations must ensure that all IT systems meet GDPR requirements. Note that often, but only sometimes, data processor responsibilities are slightly reduced as compared to data controllers because of their more limited scope.
- Security of Processing and Data Protection by Design: All processes and IT systems must be designed and built with security and privacy from the ground up.
- Management of Data Breaches: Organizations must have processes and policies to manage breaches–namely, to track, mitigate, remediate, and report on these breaches as defined by GDPR.
- Data Protection Impact Assessment: The organization must create a DPIA to address risks around processing personal data and how it intends to reduce or mitigate these risks.
- Data Protection Officer: Per GDPR, regulated organizations must have a DPO to handle compliance and privacy controls while also interfacing with compliance agencies and authorities.
- Transfer of Personal Data to Third Countries or International Organizations: Organizations must have protections to prevent the unauthorized transmission of protected data to international organizations or third countries (that is, countries outside of EU jurisdiction).
Along with general GDPR requirements, Europrivacy will include domain-specific assessment criteria that may help address specific demands related to industry, local laws and regulations, or risks inherent to specialized technologies or IT infrastructure configurations.
These criteria are:
- Complimentary Checks and Controls: Europrivacy will include any complimentary controls necessary for the domain- and technology-specific requirements. These can include local or practice-specific requirements that may fall under GDPR assessment.
- Technical and Organizational Measures: There will also be specific assessments around the adequacy of technical measures in place protecting data processing. High-risk data may require additional checks, but baseline requirements can be substituted with ISO/IEC 27001 certification.
- Surveillance Audits Checklist: These checklists assess the ability of the data processes to handle ongoing surveillance for continuous monitoring and the assurance of compliance over time.
- National Obligations: Europrivacy will also incorporate local jurisdictions’ requirements and optional extensions based on non-EU jurisdictions.
The Future of Security Is in GDPR. Don’t Fall Behind
The likelihood that businesses expand, in part or whole, into EU jurisdiction is higher than one might think. Shared consumer services, B2B IT infrastructure, and eCommerce websites touch on different aspects of EU jurisdiction.
If you’re curious about what’s coming down the pike in terms of GDPR or Europrivacy assessments, contact Lazarus Alliance.