Dr Sébastien Ziegler
President, International Board of Experts of Europrivacy at ECCP
Rapporteur on Research and Emerging Technologies for the IoT and Smart Cities, ITU-T SG20 (ITU)

Data regulations

Digital transformation increasingly impacts citizens and businesses, leading to new laws and regulations. The European Union alone has over 100 regulations and directives to manage the digital economy, with the General Data Protection Regulation (GDPR) as the most prominent.

The GDPR and other regulations, like the Artificial Intelligence Act, establish the basis for certification schemes to be legally recognized. This makes certification more valuable, but also requires a perspective shift on its nature and purpose. According to GDPR’s Recital 100 and Art. 42, certification’s purpose is to demonstrate compliance with the regulation, which carries many implications.

From single to dual references

Most certification schemes are standalone references. However, regulatory certifications cannot be separated from related regulations, which may evolve over time. Schemes require agility to prevent gaps between scheme criteria and legal obligations.

Addressing legal compliance

Regulatory certification focuses on legal compliance, requiring legal expertise. The scheme and auditor determine whether a data processing activity complies with the law, considering the legal environment of the target of evaluation.

Serving the regulator

Certification must satisfy the regulator’s needs, priorities, and concerns. When seeking Europrivacy’s approval as the European Data Protection Seal under Art. 42 GDPR, most effort went into addressing expectations of the regulator and supervisory authorities.

Dual validation process

Europrivacy underwent a dual validation process, reviewed and approved by both the European Data Protection Board (EDPB) and the European co-operation for Accreditation (EA). Each had distinct requirements. Efforts to minimize overlap between both procedures could be beneficial.

Impact on accreditation

Compared to other regular certifications, GDPR has four major impacts on accreditation:

1. Accreditation is delivered not only by national accreditation bodies, but also by national data protection authorities.
2. EU/EEA member states may adopt national rules to specify accreditation requirements.
3. Art. 43 GDPR restricts accreditation to EU/EEA NABs.
4. EDPB-approved criteria can be used outside GDPR, but under different names and marks of conformity to prevent market confusion.

Challenging Aspects

Building trust, efficiency and affordability

Certification must comprehensively address legal obligations to build trust. Partial compliance assessment could mislead the market and data subjects. Certification should also be attractive and affordable for small- and medium-sized enterprises (SMEs) and start-ups, as required by Art. 42 GDPR. This necessitates time- and cost-efficient documentation and assessment processes.

Sovereignty

Certifying data processing activities may involve third country data transfers, involving different laws and levels of protection. While certification schemes must respect countries’ sovereignty, risks for data subjects must be addressed.

Enforceability

Being embedded in law, certification schemes require enforceable mechanisms with innovative approaches and international cooperation. IAF has a key role to support international cooperation for certifications’ cross-border enforcement, consistent with WTO TBT agreements.

Importance of Research and International Cooperation

This new generation of certification schemes demands greater complexity. It’s no surprise that most development is anchored in research and innovation. The European Centre for Certification and Privacy (ECCP) was established in the context of the European research programme. Its mission is to leverage research and innovation for data protection, regulatory compliance, and certification, bridging the gap between the research community and the industry of certification and compliance.

ECCP is delighted to support the IAF community and share its expertise. It will organize sessions on international data compliance certification at the next Privacy Symposium in Venice (May 12-16, 2025) and welcomes all interested IAF members to participate.

More information: https://eccpcentre.org, https://gdprcertification.com, and https://europrivacy.com