For many, being GDPR certified or obtaining GDPR certification is the holy grail. It provides proof that you comply with the GDPR and other data protection laws. This is especially true for processors that process personal data for controllers. Processors, in particular, want to be able to prove to their customers that they take data protection seriously and comply with their legal obligations. It is much easier to produce a certificate that proves GDPR compliance, rather than having to complete various assessments and audits trying to prove it.
There is, however, still much controversy and uncertainty around GDPR certification. As it stands, obtaining this certification actually isn’t possible. This article contains information on preparing yourself to become GDPR certified in the future. It also provides you with the questions you should be asking to get ready for when GDPR certification is possible. The short answer is that getting certified in terms of the GDPR can be tricky, time-consuming and expensive.
Certified for what?
You first need to determine what certification you are seeking. To be GDPR certified indicates that you comply with the GDPR specifically. There are, however, numerous other laws, standards and regulations that you can be certified to have complied with, such as the various data protection standards. You could also be certified to comply with specific data protection laws that are not the GDPR. For example, you might want POPIA certification for complying with South Africa’s data protection law. By the way, POPI certification isn’t currently possible either. Being POPIA ready is though.
How does my organisation get GDPR certified?
In order to obtain certification, an accredited, independent standards body (such as Bureau Veritas) needs to audit your organisation. If it successfully passes, it would then be certified. The process involves:
- applying to the independent body,
- obtaining a quotation and paying the audit fee,
- booking a time for the audit,
- passing the audit,
- receiving the certification.
It is important that you are certified by an independent body, otherwise you are just blowing your own trumpet or asking somebody you know to blow it. This really isn’t going to build trust with anyone. We are not aware of any independent body that has been accredited to provide GDPR certification. The process of being accredited is currently lengthy, confusing and controversial.
Individual or organisation?
An important question is, ‘Who is being certified?’ Is it an individual or natural person (such as a GDPR expert or practitioner) or an organisation? The two certifications are different. Some people argue that the GDPR only enables organisations to become certified and does not provide for the certification of individuals.
Certifying individuals will not help you if you want to ensure that your organisation is trusted. While you may seek to employ certified people and customers may be impressed by them, this is not the best way to gain the public’s confidence.
Software, product or platform?
It is possible for an organisation to get specific software, a product or a platform GDPR certified. The audit would then be restricted to that specific offering. The question you have to ask is whether you are wanting to build trust in your entire organisation or just in a particular offering.
When is it possible to be GDPR certified?
Currently, it is not possible to obtain GDPR certification. Independent bodies are struggling to get accredited by data protection authorities and it will still be some time before any of the bodies are successfully accredited. In the interim, be careful of anyone offering GDPR certification. It probably isn’t accredited and may not be worth the paper that it is written on.
How do I prepare my organisation for GDPR certification?
There are a number of steps you can take to prepare your organisation for GDPR certification. Firstly, identify what you are wanting to comply with. You can then start the process of complying with that law. For those who want to become GDPR or POPIA certified, we have created an online data protection programme, which takes you there in modules. On completion, you should be ready to pass an audit for compliance with the relevant protection laws.