In this recent example, the Orchestra Identity Management platform has been granted a Privacy by Design certification by the Canada’s Ryerson University. The platform is processing passengers at airports by automating processes such as passenger identity checks and boarding using the travellers biometric identity data. Due to the sensitive nature of the data, it is of course essential that the data and privacy of the passenger is protected. The article states that the solution has been “certified” for being designed with privacy by design principles in mind and an external GDPR certification has been given to attest this in writing.
Can a technology really be externally GDPR certified?
It is a topic that needs more analysis than its been given, but here are a couple of thoughts from my initial reading.Clearly, for the tech companies there are some big advantages having a GDPR certification. The key objective being its marketing value. Having the seal of approval from an independent auditor can create trust in the solution and its brand, and transparency for the users.
However, for now, my understanding is that there is no official certification body for GDPR at the moment. The European Privacy Seal (EuroPriSe), a company offering GDPR certifications, states on their own website:
"EuroPriSe's criteria catalogue v201701 has not been approved pursuant to Article 42(5) GDPR and EuroPriSe GmbH has not been accredited as a certification body pursuant to Article 43 GDPR"The European Data Protection Board (EDPB) published guidelines on the subject in June 2019. It clearly establishes that the EDPB encourages establishing a certification mechanism while leaving the detail to the national supervisory authorities to sort out. In the statement it leaves the following options for the national supervisory authority:
- issue certification itself, in respect of its own certification scheme;
- issue certification itself, in respect of its own certification scheme, but delegate whole or part of the assessment process to third parties;
- create its own certification scheme, and entrust certification bodies with the certification procedure which issue the certification; and
- encourage the market to develop certification mechanisms.
"At this time, there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates."So, its seems there is no official accreditation yet, but there will be at some point.
Any certifications offered today seems to be based on the GDPR interpretations and processes of the company providing it. Above mentioned EuroPriSe is seeking official accreditation, which would then be applicable only in the country it has been approved in.
What about the principle of accountability?
Does the whole 3rd party certification not go against the core GDPR principle of accountability which lies solely and firmly with the data controller? Maybe the thinking is that the certifying organisation could take some of the blame if things go wrong?The EDPB is also clear on this point, a certification mechanism is “used as an element to demonstrate compliance with obligations of the controllers and processors". The EDPB also states that it "does not prove compliance", and that it can have a positive as well as negative effect on sanctions in case of a breach. Which seems to indicate that the certification can only provide an approved process to follow, and reassurance that a company followed that processes. It will not guarantee ongoing compliance.
What does it mean for the certified piece of technology?
Lets go back to above example of the "certified" piece of airport technology. Once there is an officially accredited body, a certification can attest that when the system was designed GDPR principles have been applied. But any certification of the technology solution alone can not protect the passengers sensitive data. The airport buying and implementing such a solution is the ultimate data controller and therefore accountable for the protection of that data. The data controller will also need to be certified or at least do a full assessment (DPIA) to give proof to the data protection authority that the way the solution is implemented is also GDPR compliant.
We should mention other security control frameworks such as ISO, NIST or CIS at this point. These certification do of course exist and there are accredited bodies that are able to certify organisations. These very extensive Information Security Management Systems (ISMS) do extend to include GDPR. In case of ISO27001, much of the general compliance will be covered but other more specific requirements such as the data subject rights are not.
Back to the original question
So, is there a real value in external certification beyond the marketing benefit? Once there is an official accreditation system, a certification will provide all stakeholders with the piece of mind that an officially approved process has been followed, but it does not absolve anyone from being accountable for the ongoing protection of personal data. Clearly there is value in building an accredited certification framework ensuring quality standards are met.