INVEO srl, as scheme owner, announces that the new version of the certification scheme ISDP©10003:2020, an international scheme for assessing compliance with the European Regulation 2016/679 (GDPR), already accredited by Accredia on a voluntary basis, according to ISO/IEC 17065, has been released. The scheme is freely downloadable online.

The scheme.
The scheme defines the general requirements and controls for demonstrating compliance under EU Regulation 2016/679 of the processing of personal data that the controller and the person in charge carry out as part of the products, processes and services, implemented or otherwise provided. Particular attention is paid in the new 2020 version to the nature, context and risk of the processing operations carried out, in Europe and also outside the European Union. In fact, the same has been elaborated as part of a broader compliance framework provided by the new European regulation on the processing of personal data, based on the principle of accountability and protection of fundamental rights.

The object of certification also invokes the detailed analysis of the treatments as key elements, data, processes and technical infrastructure that are being audited.

New features introduced by the 2020 version.
Among the new features introduced by the new version of the scheme is a greater definition of the scope, especially of the two scopes of application as defined by the GDPR and well clarified in EDPB Guidelines 1/2018:

a general scope in relation to compliance of data controllers and processors under Article 42(1) of EU Regulation 2016/679 as indicated in Note 1 of §1.2 Scope.
a specific scope in relation to the compliance of products, processes or services of data controllers and controllers as indicated in footnote 2,3,4 of §1.2 Scope

• Introduction of 24 new controls determined by the review and/or approval of new guidelines crucial for assessing compliance, particularly with regard to the principles of transparency and fairness, risk management, and the exercise of data subject rights.
• Definition of the interoperability principle in §70 of the EDPB Guidelines 1/2018
• Table of interrelation between §49 EDPB guidelines 1/2018 and Macroprocesses of the scheme
• An important definition of how to conduct audits and definition of findings ("shall," "should," "may" according to ISO/IEC 17065:2012).
• Better framing and definition of risk management particularly of Ra or acceptable risk and Ri or inherent risk
• Insertion of Annex B or correlation table between requirements and controls of the scheme and articles and recitals of the GDPR.

The scheme can be applied to controllers for demonstrating sufficient guarantees (ex Art. 28) that controllers must present to data controllers.

"As Italians there is something to be proud of," says Riccardo Giannetti, scheme owner and training manager at Inveo "A first aspect to remember, which is nothing new, is that the ISDP©10003:2020 scheme is a free scheme, free and available to anyone who wants to make use of it. Italy with the skills and experiences expressed so far, particularly in the world of data protection and certification, wants to and must set an example for the rest of Europe in the field of applying the principles expressed by the GDPR and voluntary certification."

"A second aspect to draw attention to," Giannetti continues, "is what has already emerged in the European Commission's 2018 study (the so-called Tilburg study) on certifications under Articles 42 and 43.
In the study the Commission identifies in the total of 117 schemes analyzed, two schemes already in purpose art. 42 and 43 and among them we already find the Italian scheme. Due to a time difference in release, the ISO 27701:2019 standard that is causing so much discussion does not appear in the study; this standard, which was born as a hypothetical candidate to meet the certification needs called out by the GDPR, already comes out as a blunt weapon. In fact, it should be recalled that the standard has taken a different path than the one required by the GDPR, the same was designed by including it in the family of "management systems accreditable under ISO/IEC 17021-1" and therefore incompatible with Art. 43 (1)(b) ISDP©10003:2020, an incompatibility recalled precisely by ACCREDIA in its technical circular sent Certification Bodies (https://ec.europa.eu/info/sites/info/files/data_protection_certification_mechanisms_study_final.pdf).  

To date, therefore, the only certification schemes we have available are those indicated by the European Commission's final report in the Tilburg study."

"The scheme is voluntarily accredited under ISO/IEC 17065:2012 by ACCREDIA and we have started the process of evaluating the scheme so that it can be approved under Art- 42(5). With the new version of the ISDP©10003 scheme and the introduction of the many new features," concludes Riccardo Giannetti, "a great improvement effort has been made that will surely meet the approval of many professionals." 

DOWNLOAD SCHEME