News

GDPR certification for digital products and services coming in 2022

Digital products and services that operate in compliance with the General Data Protection Regulation (GDPR) will receive certification in the coming year 2022. This will make it quick and easy to see whether the requirements of the GDPR are being met.

GDPR certification: more complicated than expected

Whether IT products and services meet the requirements of the General Data Protection Regulation can be seen immediately from 2022 with the help of a certification. The basis for a uniform European accreditation and certification procedure is provided directly by the GDPR.

At present, around five years after the GDPR came into force, there is still no official certification body. Although many companies claim to be GDPR-compliant, this cannot really be verified with legal certainty at the present time.

According to Sebastian Meissner, Managing Director of the Bonn-based data protection certifier Europrise, certification in accordance with the GDPR was already a top priority at the European level in 2016. For example, at the European Data Protection Committee (EDSA).

However, the audit phase for the certification program in particular “dragged on for so long, contrary to expectations,” Meissner tells heise online. One of the reasons for this was that it would first have been necessary to determine which requirements a certification body would have to fulfill. Common standards on the part of the International Standardization Organization ISO have not sufficed for this.

GDPR certification with the help of DAkkS

In Germany, certification bodies are now accredited by the German Accreditation Body GmbH (DAkkS) together with the independent data protection supervisory authorities in accordance with Section 39 of the Federal Data Protection Act. In 2022, the first bodies are expected to have gone through the entire process.

By 2019, DAkkS and the federal and state data protection supervisory authorities jointly defined the requirements and criteria. Among other things, DAkkS verifies compliance with the standard for certification bodies (ISO 17065), and ISO 1767, the standard for product certification. Data protection issues would then be additionally checked by the relevant data protection authority. Throughout Germany, the North Rhine-Westphalian state data protection supervisory authority is still in charge.

A long road

A spokesperson told heise online that it is hoped that in the first half of 2022 the first certification bodies will be accredited on the market and will be able to carry out certifications for their customers.

Europrise has submitted a draft criteria catalog for commissioned data processing to the North Rhine-Westphalian data protection supervisory authority and has already received the green light from the authority.

However, initially only for a partial step of the accreditation process. This is because the required opinion of the European Data Protection Committee (EDSA) still has to be obtained as part of the so-called consistency procedure. This is already in progress, he said. However, Meissner does not expect an opinion from the EDSA plenum until March 2022.

Only then will the actual accreditation of the certification body by DAkkS and the data protection supervisory authority take place. After that, the catalog can be released for GDPR certification in Germany. For a Europe-wide release, on the other hand, another separate decision is necessary.

Europrise: GDPR certification for commissioned data processing in planning

The basis for the GDPR certification at Europrise will primarily be the GDPR. This will be supplemented by relevant national data protection law. However, with regard to the interpretation of the relevant provisions, the case law of the European Court of Justice ECJ, the guidelines of the EDSA and the publications of the Data Protection Conference must also be included.

The standard data protection model (SDM) of the supervisory authorities also runs through Europrise, as do certifications and procedures from the field of IT security – for example, ISO/IEC 27001 and the BSI-Grundschutz of the German Federal Office for Information Security (BSI).

At the same time, however, the Essen-based TÜV Informationstechnik GmbH (TÜViT) is also courting customers and advertising the fact that an appropriate GDPR certificate can be a competitive advantage, especially with regard to winning new customers.

It aims to be able to offer a GDPR certification for data processing by information processing services. Accordingly, no specialization in specific areas of application is envisaged. The criteria are based on the specifications of the Federal and State Data Protection Conference on the GDPR and corresponding ISO standards.

TÜViT initially intends to concentrate exclusively on the German market. DAkkS also gave the green light for this as early as September 2021. At the beginning of December, the North Rhine-Westphalian data protection supervisory authority intends to provide initial feedback on the possible scope of the planned certification program and its test criteria.

So there are still a few hurdles to overcome before the GDPR certification comes in 2022.

Simon Lüthje

I am co-founder of this blog and am very interested in everything that has to do with technology, but I also like to play games. I was born in Hamburg, but now I live in Bad Segeberg.

Related Articles

Neue Antworten laden...

Avatar of Basic Tutorials
Basic Tutorials

Neues Mitglied

2,507 Beiträge 966 Likes

Digital products and services that operate in compliance with the General Data Protection Regulation (GDPR) will receive certification in the coming year 2022. This will make it quick and easy to see whether the requirements of the GDPR are being met. GDPR certification: more complicated than expected Whether IT products and services meet the requirements … (Weiterlesen...)

Antworten Like

Back to top button