On July 18, 2017, Italy's Data Protection Authority (Garante per la Privacy) clarified, through an important press release, a doubt regarding the concept of "Certifications" envisaged in art. 42 and 43 of the new General Data Protection Regulation, making for the first time clarity on an important doubt: data protection certifications currently present on the Italian market are NOT compliant with art. 42 and 43 GDPR. This article will explain you why.
The Garante's Clarification
Since the GDPR was published in the Official Journal of the European Union in 2016, many companies have begun proposing non-reliable GDPR compliance models to other companies under the name of "certifications."
So the first question is:
Who is the subject responsible in issuing GDPR certifications?
The Garante clarifies that the subjects eligible to issue certifications in Italy are the Italian Data Protection Authority (DPA) or the Certification Organisms. The latter may be accredited by the same Italy DPA or by the national accreditation body (for Italy, ACCREDIA), following the requirements identified in ISO/IEC 17065:2012 and "Additional Requirements", which are to be identified by the Garante.
Certification bodies and Italy's DPA can then issue certifications. However, these need to follow some "certification criteria" (as demanded in Art. 42(5) GDPR), which must also be identified by the Garante.
Conclusions
The Garante has distanced itself from entities or companies that offered certifications to businesses, and this is for two reasons (as you can see as well in the schema):
- We still miss the "Additional requirements" necessary to accredit Certification Bodies (pursuant to art. 43(1)(b)). They still need to be identified by the Garante.
- We still miss the "Certification Criteria" necessary to issue certifications pursuant to art. 42(5) GDPR (both from the DPA and Certification Bodies). They still need to be identified by the same Garante.
This is the reason why certification currently issued on GDPR compliance are not effectively compliant with GDPR.
The following months will be crucial for defining these missing requirements, and Garante is working with other European DPAs to do so.