Gartner: Three years in … is there such a thing as “GDPR compliant”?

GDPR has fundamentally transformed how businesses handle personal data around the globe, but implementing such detailed reform comes with its own challenges.


This is a contributed article by Nader Henein, Research VP, Gartner.

Ever since it came into effect, the General Data Protection Regulation (GDPR) has become one of Europe’s most famous exports. A ground-breaking privacy framework, it has fundamentally transformed how businesses handle personal data around the globe and has inspired dozens of countries into following suit.

Since then, businesses that want to operate in the EU, but fall short in following these norms, have been charged with heavy fines totalling in the hundreds of millions in just three short years. GDPR compliance is not optional and not complying can be costly.

However, implementing such detailed reform comes with its own challenges. With large corporates, including Google and Facebook, struggling to comply with GDPR guidelines, it’s not surprising that companies of all sizes feel a Pavlovian shudder whenever they hear an update on GDPR requirements.

More recently, the European Data Protection Board (EDPB) approved two codes of conduct (COC) for cloud providers. This has reinvigorated the question of whether there’s such a thing as being GDPR compliant, given these COC don’t provide formal certification. The short answer is “no,” the longer answer is “not yet, but it should be coming soon”, and businesses need to prepare.

As a result, businesses need to understand that progress is being made by several certification schemes on formalising GDPR compliance – and IT leaders and vendors can already start demonstrating compliance and prepare for formal certification: Here is how.

GDPR compliance: a work in progress

Despite the GDPR coming into effect in May of 2018, the process to operationalise Article 42 (which would allow the creation of a certification mechanisms) only came about in early 2020, after the EDPB published approval procedures.

This announcement gave businesses looking for formal certification new hope as it set out a process allowing certification bodies to submit their schemes for formal approval.

Earlier in 2019, a European Commission (EC) study identified 117 certification schemes and selected 15 for detailed analysis. Similar to the code of conduct, there are data protection and privacy certification mechanisms that “may be used as an element to demonstrate compliance” but are outside the scope of Article 42. These include personal information management systems such as BS 10012, the NIST Privacy Framework, and ISO 27701. The latter is an extension of the 27000 ISO series and has been met with strong support from the CNIL, France’s SA, and one of the most active voices within the EDPB.

Further to this, the EC study also highlighted two certification schemes as potential candidates to provide formal certification against the GDPR: ISDP 10003 from Accredia (Italy) and the European Privacy Seal from EuroPriSe (Germany). These mechanisms can certify products, processes and services, and, in the case of EuroPriSe, businesses can follow their progress towards formal approval as they work through the process with the German regulator and, ultimately, the EDPB.

Why is the certification critically important for IT leaders?

Organisations are responsible not only for their choices when selecting a vendor, but also for vendors’ choices. They must assess the vendor risk and conduct proportionate due diligence to provide the organisation with adequate assurance that neither their providers, nor any of their subsequent sub-processors, are mishandling personal data. 

This becomes extremely difficult given that one product may have different layers of sub-processors from region to region. Formal certification does not eliminate responsibility, but it substantially reduces the effort needed to validate a vendor product. By shifting the due diligence to a structured certification process attested to by an independent assessor, organisations are reassured that they are complying with GDPR when working with vendors.

The recent announcement made by the EDPB on the two codes of conduct, coupled with the various certification schemes that have been made available since the GDPR came into effect, clearly demonstrate that progress is being made – and point to an imminent future where formal certification will be available. 

Companies and IT leaders should be prepared for it and look at the available schemes that can help them achieve formal GDPR compliance easily. This includes:

For vendor organisations that are selling products or providing data services to their clients, a way to certify GDPR compliance would be by opting the ISDP 10003 certification scheme or the European Privacy Seal scheme. Either of these schemes can grant organisations a certified configuration that can turn into formal GDPR compliance once a ruling is made by the EDPB.

For end-user organisations looking at certification to validate products and / or data services, businesses will need to assess the target of evaluation (TOE) against which certification was achieved. This document defines the products and configurations in scope for the formal assessment process.

However, for those end-user businesses wanting to assess internal procedures when handling personal information – it will be worth considering BS 10012, the NIST Privacy Framework, or ISO 27701 to establish a personal information management system.

Crucially, privacy certifications — whether formally approved for GDPR compliance or not — are an excellent approach to support structure in a privacy program and provide a competitive advantage.

Being two steps ahead on certifying GDPR compliance can only make life easier for businesses as the question is now on when can companies formally certify they’re GDPR compliant – rather than how.