What is GDPR Certification?

GDPR certification refers to becoming legally compliant with the European Union’s (EU) General Data Protection Regulation, or GDPR. GDPR certification is a new feature of GDPR law that allows people or entities to receive certification from approved certification bodies to show both the EU and consumers that they are in compliance with GDPR. Certification is scalable and can be different for organizations of differing size and type.

GDPR itself is a regulation designed to give greater data protection to organizations operating in the EU and handling the data of EU citizens. GDPR applies directly to each EU member country and will allow for greater data protection harmony in the EU. GDPR also means greater data protection for customers, employees, and other individuals in the EU. Those not in compliance with GDPR will face stiff fines and other penalties when GDPR takes effect in May 2018.

How do You Become GDPR Compliant?

GDPR represents a great extension of legal jurisdiction insofar as data security is concerned, as GDPR regulations apply to all companies that deal with the personal data of EU residents, regardless of where those companies are based. GDPR demands that companies take certain steps to show that they are in compliance, such as:

  • Storing the personal data of users separate from information about their actions. This is so actions cannot be connected with users.
  • Documenting what user data is held, its source, and what data processing activities are used.
  • Creating and keeping up to date a register of user’s personal data and maintaining a record of user locations, responsible file owners, information sensitivity levels, data storage periods, and data availability.
  • Having a Data Protection Officer (DPO) on staff as of May 2018 if you are a public authority (excluding courts acting in judicial capacity), an organization engaged in the large-scale monitoring of individuals’ data, or an institution that does large-scale processing of special data categories.
  • Alerting authorities and users within 72 hours if a data breach is detected. Successful, large-scale hacker attacks will lead to serious fines.
  • Providing users with the “right to be forgotten,” which means that the user can have all personal information pertaining to them deleted if they so choose.
  • Informing the Information Commissioner’s Office (ICO) if you intend to collect, use, and/or store personal information.
  • Adopting internal data protection policies.
  • Training staff in data protection.
  • Conducting internal audits.
  • Reviewing internal HR polices.

In order to become GDPR compliant, a data management framework should be organized by senior management to ensure all regulations are complied with. Also, GDPR certification should be obtained.

What are GDPR Certification Examples?

According to Article 42 of the GDPR, GDPR certifications can be obtained from accredited certification bodies, a “competent supervisory authority,” or, in time, by the GDPR Board, which may fashion a “common certification.” Several examples of acceptable certification bodies include:

  • EuroPriSe. Their seal is the main European certification under the Directive. Its goal is to strengthen consumer trust in information technology services and tools. With EuroPriSe, vendors and manufacturers of IT services and products are subject to independent inspection of their security practices and data privacy, after which they can display the seal of EuroPriSe for two years before re-evaluation.
  • TRUSTe. This organization offers enterprise-level certification for US companies doing business in Europe. TRUSTe allows one to comply with both US law and GDPR and also provides assistance in regards to “Safe Harbor” self-certification through the US Department of Commerce. TRUSTe also offers certification for APEC.
  • ISO 27001 Information Security Management Systems and Cyber Essentials. This is the international standard for information security and is considered approvable certification for any business, small or large, in any business sector. It is especially well-regarded, however, in the health, financial, IT, and public sectors, as well as with any organization that handles high volumes of information on behalf of others.
  • Cyber Essentials. This offers basic foundational security controls for organizations to use and build upon. Cyber Essentials can work for organizations of all sectors and sizes, and is especially focused on clarifying the basics of good cyber security practice.

If you need further help understanding GDPR certification, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.