It has been four years since European data protection rules came in to ensure the confidentiality of our data, yet there is still a lack of understanding among companies and consumers about how to comply with them.
The acronym GDPR, which stands for the General Data Protection Regulation, is most often heard when Big Tech companies such as Google and Amazon are met with heavy fines. It essentially refers to the rules which control the use of our data so it is not used inappropriately, but the intricate details can still cause confusion.
A new certification system aims to make it easier for businesses and citizens to better understand the regulation and avoid penalties.
On Wednesday, the European Data Protection Board (EDPB), which is in charge of enforcing GDPR, endorsed a GDPR certification scheme for the first time.
It will allow individuals or entities to obtain certification from an approved accreditation body to demonstrate to the EU and customers that they are GDPR-compliant.
The organisation Europrivacy, a European research project co-funded by the European Commission and Switzerland, is the first to have its GDPR certification scheme officially endorsed by the EDPB.
It says the move will help organisations navigate the complicated business of GDPR compliance and certification.
“It’s majorly significant because, for GDPR, there were over 70 references to certification because it's a way to ensure that data is really processed according to the GDPR requirements,” said Dr Sébastien Ziegler, Chair of Europrivacy and President of the Internet of Things Forum.
“And the certification is the only mechanism to have an impartial party to assess that a company or even hospitals are really complying with GDPR,” he told Euronews Next.
The move means Europrivacy certificates will be recognised by all the EU and European Economic Area Member States. This aims to clear up the confusion of GDPR - as before, data protection compliance was essentially monitored by national supervisory authorities.
'A higher sense of trust'
Europrivacy believes the new system can encourage companies to be more proactive in getting independent third-party validation of how they process data and comply with EU privacy rules.
Ziegler said having a certification scheme that’s recognised by national authorities will give companies and users “a quite higher sense of trust”.
"Usually when you opt to share your personal data with service providers, all providers would say ‘of course we respect’ and of course ‘we comply with the law’. But there is always a doubt,” he said.
Ziegler said the scheme will not just help big companies but especially small and medium-sized enterprises (SMEs) and public bodies, as well as citizens.
“One of the requirements of GDPR is really to ensure someone who is collecting or processing personal data should and has the obligation to inform the data subject in very clearly understandable terms.
“And that's part of the certification, which is to assess that the information which is provided to you, to us, is clear and transparent”.
The way it would work is a company or public organisation would document how it is complying with GDPR, and then an approved certification body would examine this and certify its compliance.
Ziegler said the certification should not be thought of as a scheme but as a methodology to make GDPR more transparent to all, which will continue to educate companies and citizens about changes and alterations to GDPR rules.
“I think the next step is really to educate people, to understand compliance with data protection,” he said.
“It's also an opportunity for companies. It's a way not only to show they care about their users but this is something which is good for society and good for the economy. Having the risk to be non-compliant with the regulation is a risk for all the parties of a company”.
But Ziegler said better communication with citizens and companies is needed to create a dialogue to understand what is needed to make GDPR clearer.
“Einstein used to say that if you have good scientific knowledge, you should be able to explain it in five minutes to a five-year-old kid. And I think it's really the benchmark for GDPR,” he said.