A Complete Guide To GDPR Certification

Key Points

• GDPR certification enables individuals and entities to obtain a certification from a European Data Protection Board-approved certification body that demonstrates to customers and to the EU that it is GDPR-compliant. Non-compliance attracts heavy fines up to €20 million or 4 percent of the company’s annual revenue in the previous financial year, whichever is higher.

• GDPR compliance certification ensures protection from data loss due to terrorism, vandalism, power outages, or natural disasters. It also protects against cybercriminals who attempt to access sensitive personal data for nefarious purposes.

• Becoming GDPR-compliant is a challenging, time-consuming, and expensive process. Preparing for GDPR data protection regulation ensures that your cloud-hosted company has begun the journey of meeting GDPR obligations. 

Introduction

The GDPR has the most rigorous privacy policies and security laws in the world. Even though it is an EU legislation, its influence is felt globally because any cloud-hosted company, irrespective of location, must comply with it to do business with EU citizens. 

Achieving full compliance is not an easy feat; it is a complicated and challenging journey. After the GDPR came into effect, businesses have taken strides in becoming compliant. 91 percent of companies surveyed globally by Thomson Reuters say they are aware of the GDPR but 66 percent say that GDPR compliance is difficult. 

GDPR certification enables companies to demonstrate to their country’s supervisory authority that they have taken technical and organizational measures to fulfill GDPR obligations.

At the EU level, the European Data Protection Board (EDPB) has not yet approved a European Data Protection seal or GDPR certificate. But at the national level, supervisory authorities are working to develop certification criteria and a certification mechanism based on the International Standard on Assurance Engagements—originally meant for auditors and accountants.

If there is a personal data breach, the relevant supervisory authority will audit the company and levy fines and penalties for non-compliance. So companies should be GDPR-compliant. 

Let us walk you through the essential requirements for proving GDPR compliance certification.

What is GDPR Certification?

GDPR certification is a new feature of the regulation that allows individuals or entities to obtain certification from approved accreditation bodies to demonstrate to the EU and customers that they are GDPR-compliant.

Article 42 specifies that GDPR compliance certification can be obtained from either competent supervisory authorities, accreditation certification bodies, or eventually, the EDPB—which will offer a “common certification.”

Some approved accreditation bodies are EuroPriSe, TRUSTe, Cyber Essentials, and ISO 27001 Information Security Management Systems and Cyber Essentials. 

Note that certifications offered by these accreditation bodies are not a definitive assessment of GDPR compliance. Rather they help cloud-hosted companies demonstrate accountability through the devoting of effort and resources toward becoming fully GDPR-compliant. In short, they have their affairs in order.

Why is GDPR Compliance Important?

Compliance with GDPR aims to improve data protection mechanisms at cloud-hosted companies doing business with EU citizens or located in the EU. Thus, it also offers better data protection and privacy for employees, customers, and third parties in the EU. 

GDPR fines for non-compliance are categorized into two tiers. Lighter offenses may attract a fine of €10 million or 2 percent of the company’s annual revenue from the previous financial year, whichever is higher. Severe infringements attract a fine of €20 million or 4 percent of a company’s annual revenue from the previous financial year, whichever is greater. 

When compared to GDPR certification costs of an average of €1.3 million, taking steps to comply with the GDPR is a smart move. 

Amazon was fined €746 million by Luxembourg’s data protection body for its data collection practices. Another bigwig, WhatsApp, was fined 225 million by Ireland’s data protection body for breaches of transparency and data subject information obligations. 

Check out this video on GDPR fines and impact on businesses

Apart from fines, GDPR compliance ensures protection from data loss due to external events like natural disasters or vandalism and from cybercriminals who attempt to gain access to sensitive and confidential information. 

How to Become GDPR Compliant?

The GDPR requires that cloud-hosted companies take a holistic approach to demonstrate compliance. It isn’t simply a case of tweaking your privacy policy and investing in a couple of emerging technologies. 

Here’s a GDPR compliance checklist for you to follow:

Prepare for GDPR compliance certification

Begin by creating a project plan for the implementation of your GDPR obligations. Ensure that you involve the appropriate stakeholders and conduct a readiness assessment to determine which tasks you need to complete before proceeding with GDPR certification.

Define your personal data policy

Next, draft an internal personal data policy for your cloud-hosted company and additional top-level policies like the Data Retention Policy. Staff awareness is a crucial component of a GDPR compliance framework. Conduct GDPR training courses to make employees aware of basic GDPR principles and procedures. 

Hire a data protection officer (DPO) to take responsibility for your company’s GDPR compliance and inform the supervisory authority about his/her identity. This person should be an independent entity and should be a data protection expert.

The GDPR requires that any company or public authority with more than 10-15 employees that process personal data should appoint a DPO. This person will advise and inform the company about its GDPR obligations and monitor GDPR compliance. He/she will ensure that tasks on the GDPR compliance checklist are completed and oversee periodic GDPR audits.

Create a list of processing activities

Create a list of the processing activities performed at your cloud-hosted company and explain the lawful basis for each processing activity in order to implement data subject rights.

Create a data flow map to identify risks in your data processing activities.

Article 30 requires you to keep records of personal data processing activities sourced from data flow audits and gap analysis. Ensure that you have published transparent and easy-to-understand privacy notices for your data subjects.  

Define a process to manage data subject rights

Your cloud-hosted company needs to obtain cookie consent from data subjects before it processes or stores their personal data. You must present the request in clear and simple terms and explain how the data will be used, how long it will be used, and how long it will be stored. Data subjects should also be able to opt-out whenever they want.

Implement a data protection impact assessment (DPIA)

Before your cloud-hosted company begins a new project that involves personal data processing that will be stored permanently, the DPO must execute a data protection impact assessment. It checks the processes of the company and how they could impact the privacy of individuals or entities from whom data is collected.

Secure personal data transfers

Ensure that your mechanisms for transferring personal data outside the EU are GDPR-compliant. Take necessary legal and security measures to protect such data. 

Amend third-party contracts

Make sure that all third-party contracts that include the processing of personal data are amended to comply with the GDPR. 

Secure sensitive personal data

Take these steps to ensure that personal data is safe:

• Have an information security policy in place. 
• Use encryption and/or pseudonymization wherever appropriate.
• Implement basic technical controls like those given by Cyber Essentials.

Define how to handle data breaches

The GDPR requires that data breaches are reported to the local data protection authorities within 72 hours of discovery. So you should have processes for detecting and responding to personal data breaches and notifying the relevant supervisory authority and, if necessary, data subjects. 

Examples of GDPR Certification Bodies

Here are some examples of accreditation bodies deemed acceptable by the GDPR:

1. The European Privacy Seal (EuroPriSe): It is a European certification scheme for IT products and IT-based services that demonstrates compliance to criteria based on the European Data Protection directives (95/46/EC and 2002/58/EC) and the opinions of Article 29 working party.

2. TRUSTe: US companies (doing business in the EU) that display the TRUSTe Certified Privacy seal demonstrate that their privacy policies and practices are in line with the TRUSTe Enterprise Privacy & Data Governance Practices Assessment Criteria. It is a combination of several regulatory standards like the APEC Privacy Framework, ISO 27001, HIPAA, the OECD Privacy Guidelines, and the GDPR. 

Conclusion

Depending on the outcome of your readiness assessment, you may need to perform some or all of the steps outlined in the GDPR certification checklist. GDPR compliance is a worthwhile investment for any cloud-hosted company—and not a burden—because it increases customer engagement and builds customer confidence. 

Whether you have just begun the journey of GDPR compliance or have taken some steps, Sprinto can help you simplify the process of becoming a GDPR compliant. Its zero-touch automation platform can help you become GDPR-ready 10X faster. Take Sprinto for a spin today! 

FAQ: GDPR Certified

What is GDPR certification?

GDPR certification enables individuals or entities to get certified by approved accreditation bodies like EuroPriSe or TRUSTe that will demonstrate to customers and to the EU that they are GDPR-compliant. 

How to get GDPR compliance certification?

Obtaining GDPR compliance certification involves the following steps:

1. Prepare for GDPR certification
2. Define personal data policy
3. Create a list of processing activities
4. Define a process to manage data subject rights
5. Run a data protection impact assessment (DIPA)
6. Make personal data transfers safe
7. Amend third-party contracts
8. Secure personal and sensitive data
9. Define how data breaches will be handled

How can we become a GDPR certification body?

GDPR certification bodies need to fulfill the following criteria:

1. They demonstrate to the relevant supervisory authority their independence and expertise in the subject matter of the certification.

2. They have established procedures for the issue, withdrawal, and periodic review of data protection certifications, marks, or seals.

3. They have established structures and procedures for handling complaints regarding infringement of certification or the way in which the certification is being implemented. They should also make these procedures transparent to data subjects and the general public.

4. They should be able to demonstrate to the relevant supervisory authority that there is no conflict of interest with respect to their tasks and duties