HomeInsightsEuropean Union Agency for Network and Information Security (ENISA) publishes report on General Data Protection Regulation certification

Article by

ENISA has published a report to familiarise data protection experts with the terminology of certification and to clarify concepts relevant to GDPR certification.

The report identifies and analyses challenges and opportunities faced by data protection certification mechanisms, including seals and marks.

The GDPR, which becomes effective in the UK on 25 May 2018, introduces provisions on certification to enhance the transparency of data controllers’ processing operations and the processors. The legislature sees certification as a way to assist controllers and processors in complying with the Regulation.

Professor Dr Udo Helmbrecht, Executive Director of ENISA, said: “The GDPR is a landmark piece of legislation which is designed to protect personal information. Given the digitalisation of our world protecting our personal data is critical to the operation of the Digital Single Market, I expect that this report will contribute to the effective implementation of this important piece of legislation.

The report says that adopted GDPR data protection mechanisms should not focus only on whether measures are in place or not, but also on to what extent such measures are sufficient in ensuring compliance with the provisions of the Regulation.

The Regulation requires that a certification mechanism under the GDPR relates to data processing, and certification must be granted to the processing activity and not to the product, system or service, the report says.

Further, a controller that has had its processing operations successfully evaluated by a certification body can use the certification and its supporting documentation as a way of demonstrating compliance.

The report is designed to assist everyone involved in implementing and complying with the GDPR, from the European Commission and the European Data Protection Board to national certification bodies and supervisory authorities, who are all in a position to develop a harmonised understanding of GDPR data protection certification mechanisms and to provide further guidelines should queries and/or challenges arise. To access the report, click here.