Unless of course you have a really rusty snake...
Their are products, people, process, codes of conduct, audit - probably if you are large you'll use OneTrust, TrustArc, Nmnity etc - but are any of these going to certify? I would simply doubt the sanity of anyone saying they could, and back away slowly with open body language and occasional eye contact...
'Certification' against GDPR in an organization will be a Herculean task, and one in line with the amount of effort you probably need to spend to be able to prove accountability, reduce impact when you have a breach and defend effectivley against spurious claims.
For the Supervisory authorities providing certification, well this is fine, but let's say an entity certifies and then has a massive breach of personal data caused by something the certification didn't adequately check. That same SA(probably) then has to throw the book at an organization they said was doing a good job.
It will come , but i expect some thing like a good practice shield/badge first, then you can maybe audit for a tick in the box.
Rathe than unilateral action, I Suspect the WP29 needs to reach it's final form and the EDPB will have a really good long think. SA's looking at the countries providing certification against their own data protection laws would also make sense.
I have seen a great deal of grandstanding from both technical professionals, and audit/risk/compliance professionals, claiming to have the key to silver bullet GDPR compliance.
Don't believe the hype.
GDPR, much like security practices in general, should be;
- a collaborative process involving all stakeholders e.g. operational, management, compliance, audit etc
- prioritized during the design process and not an "add-on" or "afterthought"
- a balance between compliance and operational considerations rather than sacrificing one for the other
- have an iterative, continuous approach to development and improvement
- be as simple, think user-friendly, as possible whilst maintaining the minimum require security posture baseline
I find myself repeating the same phrase of late.
"GDPR will fundamentally change our relationship with data."
Any future digital transformation, or governance, plans will need to prioritize this evolving relationship with data.
More on certifications as described in this European Union Agency For Network and Information Security (ENISA) publication:
A trustworthy Privacy training organisation in the UK is 'Amberhawk'.
They also have a good blog, "Hawktalk":
Although there have been some very good discussions at conferences and elsewhere, it is sometimes obvious that some comments and suggestions about privacy are largely theoretical whereas others are grounded in practical experience with the existing legislation (eg the practical considerations re. identifying SARs, retrieving data for SAR responses and the role of HR).
Fundamentally, people either "get" what GDPR/Privacy/a data-centric focus are about or they don't. The point of true realisation may occur when a topic is discussed which has a personal privacy implication for them, rather than from their corporate training (eg they attempted to obtain personal records from somewhere and found it difficult). When the penny drops, they often start taking the subject more seriously and the true changes begin to take place.
From an awareness perspective, Sian Phillips mentioned somewhere that it takes 5 years for the messages from a new security awareness programme to become fully integrated within a large organisation. As well as GDPR awareness, staff have to understand and commit to the changes they're being asked to make,as those changes apply to their own roles.
I agree to not try to interpret the meaning of GDPR and consult with a colleague, such as the Data Protection Officer, that has training in the matter. My only concern is that with any new law there will be a timeframe in which specific items are still open for discussion and interpretation. I am counting on organizations such as ISC2 to keep the information flowing on GDPR and through webinars or newsletters inform their members about how specific points have been clarified.
In law school i learned that every law is open to interpretation because otherwise why would we need lawyers. GDPR will be no different and as complex as GDPR is, I am guessing that for the next few years we will continue to learn about the specific meaning of the law for certain case examples.