Off late, there have been multiple queries from startups and SMEs related to GDPR certification. All these people want their business to be GDPR certified, very similar to ISO certifications, primarily ISO 27001 and 27002. And thankfully, people have now understood that ISO certification does not tantamount to GDPR compliance!

Since May 2018, everyone needs to be GDPR compliant in order to conduct business in Europe. It’s more of a business need rather than legal need for Indian companies since the European business partners are keen to collaborate/engage GDPR compliant vendors or partners in line with GDPR due diligence requirements. Hence, everyone now wants to have GDPR certification apart from ISO.

However, the main purpose of this article is to advise the startup community that at this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. All those who are asserting to provide GDPR certification are misguiding. You can be GDPR compliant but you cannot be GDPR certified since there is no certifying body.

Being compliant with GDPR regulation is all that is needed for smoothly conducting business operations without fear of fines/penalty.

GDPR does provide for certification as per Article 42 but has not yet approved any certifying agency under Article 43.

Article 42 of GDPR states that certification could be used for:

1. demonstrating compliance with provisions of data protection by design and default;

2. demonstrating suitability of technical and organizational measures implemented; and

3. supporting international transfer of personal data to third countries.

The Certification will be granted for a specific processing activity such as HR processing or marketing functions. Further, a controller and processor will need to have distinct certifications. A Data Controller with GDPR certification shall not, by corollary, mean that the associated Data Processors are also GDPR certified.

The Certification will be voluntary and valid for a maximum of three years, subject to periodic reviews. The Certification can be renewed thereafter The Certification will be publicly viewable in a public register of certificates.

Till then, you can be compliant and continue with business as usual. For our readers, here are the steps to be GDPR compliant:

1. Data Audit Process

2. Consent Management

3. Record of data processing Activities

4. Data Security and Management Policies

5. Privacy Policy Updates

6. Technical and Organizational Measures

Get in touch for a detailed discussion on GDPR compliance process and steps forward.

Disclaimer: The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.