Kirwans corporate and commercial solicitor, James Pressley, discusses GDPR certification with IT Pro.
Vendor marketing is rife with claims that, as of 25 May 2018, you'll face huge fines of 4% of your annual turnover or €20 million, whichever is higher, were you to fail to adequately protect people's personal data.
IT Pro has punctured those claims before, but this hasn't stopped companies promoting all sorts of General Data Protection Regulation (GDPR) training courses that come complete with exams and certificates.
Almost all of them, though, are meaningless.
While the EU's legislation encourages member states to set up certifications demonstrating compliance with GDPR, only the UK's data regulator, the Information Commissioner's Office (ICO), has the power to create certification bodies.
These bodies can issue organisations with legitimate certification that demonstrates their GDPR compliance for a period of three years before needing to be renewed, which the EU says might be called 'the European Data Protection Seal'.
But the ICO hasn't created these certifying bodies yet, and anyway, the legislation makes clear such certifications would be voluntary; you don't have to have one.
How can you demonstrate GDPR compliance?
Corporate and commercial solicitor at Kirwans law firm, James Pressley, tells IT Pro there are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
- Internal policies and procedures that comply with the GDPR's requirements
- The implementation of the policies and processes into the organisation's activities
- Effective internal compliance measures
- External controls
"All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance," Pressley explains.
In addition, data controllers (the company ultimately using rather than simply processing personal data) must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
Controllers must also embed privacy measures into corporate policies and everyday activities that concern personal data.
Not only must they document their privacy measures and keep records of compliance, but they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
How will the ICO measure compliance?
The ICO - and any other EU member state data protection authority - would consider whether your organisation is compliant with the points above, though it's probably wise to hire a legal specialist to guide you through the specifics to ensure you understand them fully.
Davis explains: "The GDPR is holistic: you have to comply with all aspects of the GDPR."
While there may be some debate as to whether a data protection policy is adequate, Pressley adds: "Past experience would suggest that the ICO requires full compliance with legislation and is unlikely to accept poor documentation or implementation."
Both lawyers make the point that when it comes to audits, firms suffering security breaches will be the ICO's first port of call.
" In practice [the ICO will measure compliance] by (a) becoming aware of organisations suffering from public breaches and (b) auditing organisations - especially those falling into the former category," Davis says.
Pressley agrees, stating: "There will be a lot of non-compliance, which will be obvious. There will be some major problems such as security breaches, in which case the organisation's policies and practices will be examined closely."
Are any GDPR certification schemes worth the money?
In short, no - certainly not if you enter them for the purpose of gaining a certificate demonstrating compliance. As we discovered above, there are currently no bodies empowered to audit and certify GDPR compliance. Those that do exist may say their certification is valid for GDPR, but in fact, they're often based on the National Cyber Security Centre's Cyber Secure standard, Pressley says. That means organisations who undertake their courses may still be found non-compliant by the ICO.
However, Pressley also says that the ICO intends to approve accredited UK bodies that can offer proper certification by spring 2018, just ahead of GDPR coming into force.
But Davis adds that existing schemes, if using the GDPR legislation as their basis, may have some value: "The more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant."
As Featured In: IT Pro
Do you need legal assistance?
Simply complete the online enquiry form below or call us today.
Let Kirwans guide you on your legal journey.
Call today on 0800 525 035 or email us at [email protected]