Data protection by design and by default

It is one of the most challenging legal obligations to document and demonstrate. The certification is the only instrument recognized by Art. 25 GDPR "to demonstrate compliance with" this requirement.

Demonstrating adequacy of Data Controllers

Art. 24 GDPR clarifies the obligations of Data Controllers. It mentions two instruments to evidence such compliance: certification and codes of conduct.

Demonstrating adequacy of selected Data Processors

Under Art. 28 GDPR,"the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures." It is accountable and liable for potential breaches and non-compliance by its data processors. It is expected to perform a complete assessment of the effective measures in place by its data processors before sharing any data with it. Fortunately, this article recognises two instruments to assess such adequacy: certification and codes of conduct.

Demonstrating adequacy of security measures

Art. 32 GDPR requires to ensure an adequate level of security. Like for the processors, it also recognises certification and codes of conducts [with regular audits] as means "0".

Impact on administrative fines

Art. 83 GDPR imposes to take into account the adoption of a recognised certification or code of conduct by a controller or processor in case of non-compliance, when determining the amount of the administrative fine. Moreover, a certification and a code of conduct are both contributing to substantially reduce the risk of non-compliance.

Availability

The good news is that certification criteria and SCC are approved and available as are. Adopting a code of conduct requires a substantial effort. It also requires mobilising a representative number of companies through an association to develop, implement and get the code approved. The process may take several years. Adopting Binding Corporate Rules also requires to be approved by the authority. The process may take several years too and can be used only by the entities that are formally part of the same company group (and not by its data processors for instance).

Universality

SCCs and GDPR certification, such as Europrivacy, are industry agnostic and can be used by all data controllers and processors. Other certifications may be restricted to data processors only or to specific targets of evaluation. Binding Corporate Rules are company specific. Codes of conducts are industry specific, which means that data controllers and processors sharing data may be subject to different codes of conducts. For instance, a code of conduct designed for hospitality service, will not be adequate for service providers such as an accounting company working for hostelry companies.

Time and effort

On the assumption that a company is already complying with the GDPR, the time and effort required vary among the instruments. A SCC requires parties to negotiate and agree on the terms of the agreement. If a company has a single B2B partner, it is the fastest instrument. However, while a single certification can be used with an unlimited number of data controllers and processors, a distinct SCC must be adopted and signed with each and every partner with whom data are shared.

Flexibility and Adaptability

Some instruments are focused on company level requirements (BCR, CC), while other instruments focus on specific data processing activities (Certification, SCC). The first category requires to ensure compliance at a higher level. The second category enables companies to focus their effort on their priority data processing and to put first things first.

Reliability

The level of reliability depends on the nature of the instruments. For instance, a SCC is a binding commitment made by an entity, but there is no audit and control of the effective compliance behind it. While a certification on the other hand relies on regular third-party audits performed by qualified auditors. The Trust Level Scale (TSL) provides a scale from A (highly reliable) to I (not reliable art all) to assess the level of trust in effective compliance. When applied to the four instruments, the result varies from F for SCC to A for certification.

Value Creation

All instruments contribute to support compliance. However, one of them, certification, enables to turn compliance into an intangible asset for the company. Like a patent, a certification constitutes an intangible asset of the company. It turns compliance into a source of value creation. It can be used by marketing and sales team as a competitive advantage. It can also be used to reduce uncertainty with financial analysts, investors and shareholders.

The following table summarizes the characteristics of the four instruments.

Conclusion

Each GDPR instrument offers a different set of benefits and level of reliability with regards to effective compliance. It is up to the DPO to assess and choose the one that best addresses the needs of its employer. We hope this analysis will help you on comparing and choosing.

In case you change your mind, moving from one instrument to another, or combining several instruments is quite simple, once you have checked and documented your compliance.

References