Europrivacy, a digital by design certification scheme for GDPR compliance

Dr Sébastien Ziegler Chairman of the Europrivacy International Board of Experts Europrivacy

Europrivacy is a certification scheme developed through the European Research Programme Horizon 2020 to assess data processing activities and certify their compliance with the European General Data Protection Regulation (GDPR) obligations and complementary data protection regulations. It is managed by the European Centre for Certification and Privacy (ECCP) in Luxembourg under the supervision of an International Board of Experts. Europrivacy has been brought by the Luxembourgish National Commission of Data Protection (CNPD) to the European Data Protection Board (EDPB) for endorsement under art. 42 GDPR. It is the first certification scheme under review for official recognition as European Seal.

There are over 70 references to certification in the GDPR, including for assessing the compliance of data processors (Art. 28.5 GDPR), for cross-border data transfers (Art. 42.2, 46.2.f GDPR) or for assessing the adequacy of technical and organizational measures set in place (Art. 32.3 GDPR). As stated in the Regulation, the purpose of certification is for “demonstrating compliance with this regulation of processing operations by controllers and processors” (Art. 42 GDPR) and “allowing data subjects to quickly assess the level of data protection of relevant products and services.” (Recital 100 GDPR). As a consequence, certification under the GDPR is subject to very specific requirements. For instance, it needs to be aligned with the evolution of the regulation, its related jurisprudence and soft law, including EDPB publications. That is why Europrivacy is supported by an International Board of Experts in charge of continuous monitoring of the evolution of the data protection related obligations for updating the scheme accordingly. In other words, Europrivacy is a living scheme in osmosis with the regulatory environment. Another requirement is to specifically focus on certification of data processing activities. Consequently, certification of management systems, such as ISO/IEC 27001 and 27701, is not eligible under art. 42 GDPR. The benefit of this approach is

twofold: Firstly, it delivers a more granular and reliable indication of compliance. Secondly, it enables data controllers and processors to progressively certify data processing, step by step, in decreasing priority order. To ensure that such an approach does not become too costly, in particular for small and medium-sized enterprises (SMEs), an important part of the research has been dedicated to maximizing the efficiency of the certification process to increase the reliability of the assessment, while optimizing the process in terms of time and cost-efficiency.

Europrivacy has been designed to precisely address the abovementioned requirements. It enables to assess compliance of data processing activities with all the GDPR obligations whose non-compliance could entail a risk for the data subjects’ rights and freedom or for the applicants. The certification process starts by a systematic assessment of compliance with the data protection obligations in order to identify residual non-compliances and to reduce the related legal, financial, and reputational risks for the applicant. Once the processing activity is validated, it enables the applicant to demonstrate the compliance in order to build trust and confidence, to develop competitive advantages, and to improve their reputation and market access. A GDPR certification allows to recognize and transform compliance efforts into an asset that can become a potential source of revenues for the applicant. Another benefit of a Europrivacy certification is that all certified applicants are kept informed about any changes in data protection compliance requirements that have been identified by its International Board of Experts.

As Europrivacy has been developed in the context of the European Research Programme Horizon 2020, since its inception it has been designed to encompass data processing involving innovative technologies such as artificial intelligence, distributed ledger technologies, and the Internet of Things. It works

closely with the research community and is currently involved in several European research projects in the domains of e-health and medical data, artificial intelligence, smart grid, and connected vehicles. This has led to a unique certification scheme model that combines core criteria with complementary domain and technology-specific criteria. It enables using the same scheme for certifying all sorts of data processing, while taking into account technology and domain-specific obligations.

GDPR certification requires taking into account national obligations. Europrivacy has researched and developed an innovative mechanism to address these national obligations in the certification process. It also provides support with profiles on complementary national data protection obligations for each EU jurisdiction, as well as for a series of nonEU jurisdictions. Indeed, another characteristic of Europrivacy is its ability to be easily extensible to nonEU jurisdictions.

While Europrivacy’s prime focus is on data protection obligations, the scheme itself has been designed to be fully compliant with both ISO/IECT 17065 and 170211. It is easily combinable with ISO certifications such as ISO/IEC 27001 or 27701, complementing each other to simplify the certification process. Building a global community of qualified partners The European Centre for Certification and Privacy focuses on its role as scheme owner to ensure that the certification scheme is aligned with the evolution of the norms. The centre has developed an ecosystem of qualified certification bodies, law firms, and consulting firms able to deliver support and certifications to data controllers and processors. It encourages the global adoption of Europrivacy to support compliance and reduce risks related to data processing in a growing data economy and digital single market. Online academy, community website, resources and tools Europrivacy has the ambition to develop and propose a new model of certification and user experience. In order to support the use and adoption of Europrivacy, the European Centre for Certification and Privacy has developed an online Academy: https://academy. europrivacy.com. It delivers a sequence of three training programs: Introductory Course, Course for Implementers, and Course for Auditors. Each programme is provided through online videos and is completed by an online exam to validate the acquired knowledge and understanding of the scheme. The implementer and auditor courses provide formal qualifications that demonstrate the ability of the

qualified experts. In parallel, ECCP has developed an online Community website: https://community.europrivacy.com. It provides many online resources, including over 750 reference documents, templates, and guidelines to support GDPR certification. It provides three customized sets of resources for Data Protection Officers, qualified implementers, and qualified auditors. Finally, it facilitates access to online tools and technologies from the research to support data protection compliance.

Europrivacy has been designed to be a living scheme supported by a living community of experts to address a fast-evolving regulatory and normative environment. The European Centre for Certification and Privacy supports international dialogue and cooperation in data protection and compliance. That is the reason why it is collaborating with the Council of Europe, ELSA, the European Centre for Cyber Security, and other organizations to organize the Privacy Symposium conference (www.privacysymposium. org) in Venice from April 5th to 7th 2022. The conference aims at promoting international dialogue, cooperation, and knowledge sharing. It will discuss the evolution of data protection regulations, at the national and international level, and their interaction with innovative technologies, such as artificial intelligence, distributed ledger technologies (i.e., Blockchain), Internet of Things and edge computing. A specific programme will be dedicated to e-health and medical data compliance with the GDPR. The conference also includes a call for papers open to researches and practioners. The best papers will be presented in Venice and published by Springer.

Europrivacy leveraged the ISO principles’ foundations to research and deliver a highly innovative and efficient certification scheme with a new model of born-digital certification. It provides an agile and living certification scheme, able to address emerging technologies and a fast-evolving regulatory environment. It enables to efficiently assess the compliance of all sorts of data processing activities, from regular ones to highly innovative ones. Technology is an important enabler, but it is only a means, not an end. While our ambition is to leverage technology for delivering a new user experience of compliance as a service for all stakeholders, our priority is to build a community of experts and partners with a true passion for data protection and compliance. As ELSA members, you are more than welcome to join us. If you are interested, feel free to contact us at: contact@europrivacy.org