For many, being GDPR certified or obtaining GDPR certification is the holy grail. It provides proof that you comply with the GDPR and other data protection laws. This is especially true for processors that process personal data for controllers. Processors, in particular, want to be able to prove to their customers that they take data protection seriously and comply with their legal obligations. It is much easier to produce a certificate that proves GDPR compliance, rather than having to complete various assessments and audits trying to prove it.

GDPR certification is now possible.

There is, however, still much controversy and uncertainty around GDPR certification. As it stands, obtaining this certification is actually possible. This article contains information on preparing yourself to become GDPR certified in the future. It also provides you with the questions you should be asking to get ready for your organisation for GDPR certification. 

Certified for what?

You first need to determine what certification you are seeking. To be GDPR certified indicates that you comply with the GDPR specifically. There are, however, numerous other data protection laws, standards and regulations that you can be certified to have complied with, such as the various data protection standards or criteria. You could also be certified to comply with specific data protection laws that are not the GDPR. For example, you might want POPIA certification for complying with South Africa’s data protection law. By the way, POPI certification isn’t currently possible. 

How does my organisation get GDPR certified?

In order to obtain certification, an accredited, independent standards body needs to audit your organisation. If it successfully passes, it would then be certified. The process involves:

  • applying to the independent body,
  • obtaining a quotation and paying the audit fee,
  • booking a time for the audit,
  • passing the audit,
  • receiving the certification.

It is important that you are certified by an independent body, otherwise you are just blowing your own trumpet or asking somebody you know to blow it. This really isn’t going to build trust with anyone. Europrivacy is an independent body that has been accredited to provide GDPR certification. Bureau Veritas is an independent standards body but as far as we know the EDPB has not yet accredited it for GDPR certification. 

Individual or organisation?

An important question is, ‘Who is being certified?’ Is it an individual or natural person (such as a GDPR expert or practitioner) or an organisation? The two certifications are different. Some people argue that the GDPR only enables organisations to become certified and does not provide for the certification of individuals.

Certifying individuals will not help you if you want to ensure that your organisation is trusted. While you may seek to employ certified people and customers may be impressed by them, this is not the best way to gain the public’s confidence.

How do I prepare my organisation for GDPR certification?

There are a number of steps you can take to prepare your organisation for GDPR certification. Firstly, identify what you are wanting to comply with. You can then start the process of complying with that regulatory requirement. For those who want to become GDPR or POPIA certified, we have created an online data protection programme, which takes you there in modules. On completion, you should be ready to pass an audit for GDPR compliance with the relevant protection laws.