EA contributes to implementation of the EU General Data Protection Regulation (GDPR) by promoting use of accreditation by National Accreditation Bodies.

In an area where confidence is the key word, EA Members and accredited CABs have a major role to play to support an essential regulation. Indeed, securing network and information systems in the European Union is essential to keep the online economy running and to ensure prosperity while protecting citizens and consumers on their personal data.

On 25 May 2018, the new EU-wide data protection instrument, the General Data Protection Regulation will become applicable, two years after its adoption by the European Parliament. The new Regulation will strengthen protection of the individual’s right to personal data protection, reflecting the concept of data protection as a fundamental right for the European Union. It’s a particularly topical issue regarding the recent Facebook/Cambridge Analytica data scandal .

On the 18th April, EA participated in a Stakeholder workshop, which took place in the framework of a study, supervised by the Directorate-General for Justice and Consumers. This study aimed to analyze existing certifications, provide recommendations for requirements for data protection certification mechanisms, accreditation criteria, and technical standards to be used by all involved in the chain. It also aimed to provide relevant output to support the establishment of data protection certification mechanisms/schemes and development of data protection seals and marks pursuant to Articles 42 and 43 of the General Data Protection Regulation (EU) 2016/679.

This workshop was the occasion to collect feedback on draft recommendations on the following issues:

  • Certification schemes under the GDPR
  • Assessment and approval of certification criteria
  • Technical standards for data protection certification
  • Certification as an appropriate safeguard for data transfers

EA emphasized at the stakeholder workshop that national certification schemes shall be avoided, because that would result in a huge number of different schemes and requirements. The aim should be to have one certification scheme, perhaps per defined sector(s) (if needed), which will be applied throughout Europe in order to ensure consistency and to strengthen confidence in certificates expressing compliance with the GDPR.

EA offered its support to the European Commission regarding the elaboration and/or evaluation
of the certification scheme(s).