Privacy & Information Security Law Blog

On March 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its draft guidelines on the accreditation of certification bodies under the GDPR (the “Guidelines”). The Guidelines were adopted by the Working Party on February 6, 2018, for public consultation.

CIPL emphasized that one overarching goal for GDPR certifications must be that they are scalable to organizations of all sizes, including micro-, small- and medium-sized enterprises. This goal also must be reflected in the accreditation standards for certification bodies, so that sufficient certification bodies capable of certifying these types of enterprises will be accredited. To that end, CIPL’s comments highlight that the GDPR provides for more than one route towards an appropriate accreditation standard (i.e., accreditation that builds on an existing system of national accreditation bodies that operate under established ISO standards, and accreditation by supervisory authorities). CIPL believes both routes towards accreditation of certification bodies will have useful roles to play within their respective areas of core competency, and that the accreditations by supervisory authorities should specifically ensure flexibility, scalability and interoperability with similar certification schemes in other regions.

In its comments to the Guidelines, CIPL recommends that the Working Party make several changes or clarifications as follows:

• Clarify that when supervisory authorities accredit certification bodies under Art. 43(1)(a), they should do so under a common EU-wide accreditation standard approved by the European Data Protection Board (“EDPB”) that takes into account requirements adopted by the EU Commission (the “Commission”) in accordance with Art. 43(8) of the GDPR;
• Underline the EDPB’s responsibility to establish independent assessment criteria for reviewing supervisory authority-submitted accreditation criteria, in order to maintain comparability and consistency across the EU;
• Clarify that ISO 17065 should be viewed as instructive, but not mandatory, for supervisory authorities, the EDPB or the Commission as they develop or approve accreditation requirements for certification bodies;
• Highlight that the APEC Accountability Agent Recognition Criteria are a good model for consideration in connection with accreditation standards to be developed by supervisory authorities, the EDBP or the Commission;
• Underscore that ISO 17065 should be applied flexibly by national accreditation bodies to further the scalability goals of the GDPR with respect to micro-, small- and medium-sized enterprises and to facilitate consistency with standards developed or approved by the supervisory authorities and/or the EDPB;
• Emphasize that the additional requirements supervisory authorities develop for accreditations by national accreditation bodies under Art. 43(1)(b) should also take into account scalability and the needs of micro-, small- and medium-sized enterprises.

To read the above recommendations in more detail, along with CIPL’s other recommendations on the accreditation of certification bodies under the GDPR, view the full paper.

CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 90 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics prioritized by the Working Party.