Privacy certifications for companies

The GDPR has led to a revolution in the protection of personal data, and has introduced a regulatory approach to which Italian companies were not previously accustomed: accountability, a risk-based approach, obligations not perfectly laid out by the legislator, whose contents are left to the unbiased assessment of the organizations – which must be GDPR compliant, or risk the imposition of significant fines.

From a distance of over three years, the GDPR continues to be the purview of sector specialists, to the point of being at times incomprehensible in the eyes of organizations and, above all, data subjects.

In this context, privacy certifications pursuant to article 42 can represent a valid tool:

• For organizations, who can benefit from “reduced sentences” and make themselves more attractive in the eyes of the market
• For data subjects, who can easily recognize data processing approved by competent controllers through a “stamp” of approval.

But what is the role of certifications within the GDPR? What are the standards for certification? Is it possible to adopt ISO/IEC 27701 and have the benefits of certification in accordance with the GDPR?

We’ll take a look at these in order. 

First and foremost, we should remember that privacy certifications pursuant to article 42 relate to company processes, and not to company personnel.

The certifications we are talking about are “stamps” of approval which guarantee that specific personal data processing within the organization is compliant with the certification scheme adopted.

The certification framework is represented by articles 42, 43 and 83 of the GDPR.

In short, we can say that certification:

• Does not exempt an organization from accountability
• Can be suitable to avoid penalties under the GDPR or reduce the amount of fines, according to the unbiased assessment of the supervisory authority 
• Is a double-edged sword: revocation involves the certification body informing the data protection authority.

For further information on GDPR certifications in general, refer to the very recent FAQ from the “Garante” (Italian data protection authority: document in Italian) https://www.garanteprivacy.it/regolamentoue/certificazione-e-accreditamento.

When talking about GDPR certifications, the most commonly referred to schemes are the following: 

• ISO/IEC 27701:2019
• UNI/PdR 43.2:2018
• ISDP 10003:2020

We must remember that not all are or can become certifications pursuant to article 42. 

Let’s take a closer look.

1.2.1 ISO/IEC 27701:2019

ISO/IEC 27701 was widely discussed at the time of its publication.

The system specifies the requirements of and provides guidelines for establishing, implementing, maintaining and ensuring continuous improvement of a personal information management system (PIMS) in the form of extension of ISO/IEC 27001.

Despite this, this scheme does not (and may never) represent a valid standard for certification under article 42 of the GDPR, as also pointed out by Accredia itself, the Italian accreditation body.

Although this scheme cannot represent a valid certification pursuant to article 42 of the GDPR, it is widely known and is viewed well by the market, with all the consequent benefits.

1.2.2 UNI/PdR 43.2:2018

UNI/PdR 43 is an Italian standard entitled “Linee guida per la gestione dei dati personali in ambito ICT secondo il Regolamento UE 679/2016 (GDPR) - Requisiti per la protezione e valutazione di conformità dei dati personali in ambito ICT” (guidelines for the management of personal data in ICT environments in accordance with Regulation (EU) 679/2016 (GDPR) - Requirements for protection and conformity assessment of personal data in ICT environments).

It is divided into two sections.

Section 2 provides a suitable set of requirements that allows organizations, particularly SMEs, to structure processes compliant with the provisions of the national and European regulatory framework, being able to demonstrate this compliance and effectiveness through a certification path.

This standard is suitable to represent a certification in accordance with the GDPR, even though its approval process in this regard is not yet complete.

The adoption of this scheme cannot currently provide the benefits typical of certification pursuant to the GDPR, but can nevertheless be advisable in certain contexts and represents evidence of reliability in the eyes of the market.

​​​​​​1.2.3 ISDP 10003:2020

The ISDP 10003:2020 scheme defines the general requirements and checks to demonstrate GDPR compliance of processing of personal data that the controller and data processor carry out in the area of products, processes and services.

Like UNI/PdR 43.2:2018, this standard is also suitable to represent a certification in accordance with the GDPR, even though its approval process in this regard is not yet complete.

Unlike the UNI standard, this standard is proposed as an international scheme. It is a process certification.

In this case too, the fact that the approval process for full operation of the scheme as a certification pursuant to the GDPR is not yet complete means that ISDP 10003 is not currently able to provide the typical benefits.

In addition to the lack of completion of the approval process, the “cons” of adopting this certification are those typical of any GDPR certification, i.e. the lack of guarantee of full GDPR compliance of the entire organization and notification of the “Garante” in the event of revocation of the certification. 

​​​​​​Few, compromised and not immediate – the certification schemes pursuant to article 42 of the GDPR do not yet exist.

While the heralded ISO/IEC 27701 is not suitable to represent a valid certification scheme pursuant to the GDPR, UNI/PdR 43 and ISDP 10003 are trapped for the time being (like all the certifications under article 42) in the slow gears of the European regulatory machine.

While further developments are rumored by the end of the year, controllers and data processors can only wait for the possibility to get certified.

Despite this, signing up to the above schemes can nevertheless involve advantages.

Compliance with ISO/IEC 27701 is useful for ISO/IEC 27001-certified organizations which wish to convey reliability to the market.

Although it is not a certification pursuant to the GDPR, compliance with this standard involves all the typical benefits (such as at organizational level), and can be useful for organizations which wish to stand out with a top-level certification and to extra-EU organizations which wish to move closer to the GDPR.

UNI/PdR 43 and ISDP 10003 will probably become certifications valid under article 42 of the GDPR.

It should be remembered that both standards can be adopted, and the processes (processing) on which they are based are already certifiable (even though this certification is not currently a “valid” one pursuant to the GDPR).

The adoption of these standards can be useful not only to organizations which wish to start gaining familiarity and gain a future-focused outlook, but also those that wish to benefit from a “stamp of approval” for their processing, which is very useful in the eyes of the market, even if not currently recognized by the GDPR.