Every person has the right to the protection of personal data concerning him or her, and the task of Regulation (EU) 2016/679 is the protection of natural persons.

Certification is an effective institution that allows data subjects to quickly assess the level of data protection for products and services. Certification under the GDPR has precise rules that do not coincide with ISMS standards.

By Riccardo Giannetti (Inveo scheme manager  - president Osservatorio679)

ABSTRACT
The GDPR establishes an updated compliance framework for data protection in Europe, based on the principle of accountability and protection of fundamental rights. This new framework focuses on a number of useful measures to facilitate compliance with the provisions of the General Data Protection Regulation, including mandatory requirements in specific circumstances (DPO appointment, Impact Assessment, etc.) and voluntary measures such as codes of conduct and certification mechanisms[1].

Even before the implementation of the GDPR, WP29 had noted how certification could play an important role in the framework of owner accountability[2].

In order for certification to provide reliable evidence of compliance, in terms of data protection, the clear regulations introducing requirements on the types and methods of implementation of certifications covered by Regulation (EU) 2016/679 should be considered, and any dangerous confusion about alternative certification routes should be dispelled.

Article 42 of the GDPR provides the legal basis for the development of such standards.

Certification mechanisms, by their very nature, can increase transparency not only for data subjects but also in the context of business-to-business relations, for example, between data controller and data processor. The establishment of certification mechanisms, as outlined in Regulation (EU) 2016/679 ("GDPR"), can improve transparency and compliance with the regulation and enable data subjects to assess the level of data protection for products and Services[3]

Certification therefore, as a voluntary act, has the overall ultimate purpose of instilling confidence in all interested parties that a product meets specified requirements. The value of certification therefore is the degree of trust and credit established by an impartial and competent demonstration of fulfillment of specified requirements by a third party.

For these reasons, certification under GDPR will have to be a certification that arises in a specific environment, with specific rules.

[1] EDPB Guidelines 1/2018
[2] WP29 - 173 Opinion 3/2010
[3] Recital 100 (EU) 2016/679