According to article 42(1) of the GDPR, a certain data protection ‘checkmark’ should be encouraged! It is logical that a data privacy certification, seal or some kind of assurance helps organizations establish and build trust with their stakeholders, target audience, clients or customers by actively demonstrating compliance with the GDPR. Therefore, the European Data Protection Board (hereafter: EDPB) has published guidelines on certification and identifying certification criteria that are in line with the International Organization for Standardization (hereafter: ISO) 17065 Standard. This blogpost guides you through your options regarding the certifications in the field of data privacy.
The Dutch supervisory authority, the Autoriteit Persoonsgegevens (hereafter: AP), has adopted these guidelines as set by the EDPB. They are currently creating the possibility to apply for a GDPR certificate. An accredited institute can, subsequently, determine if your specific processor service is compliant with the GDPR. This would be beneficial in demonstrating that you are actively engaged in the legitimate processing of personal data. However, thus far, there have been no institutes appointed by the AP and it is not yet possible to receive such certificate. This raises the question: what could your organization do in the meantime to demonstrate GDPR compliance?
Besides certification, there are other ways for organizations to demonstrate that they are operating in line with the GDPR. Assurance reports can provide organizations with an option to demonstrate to key stakeholders and clients that the service they are offering is in line with the GDPR. We have extensive experience with established frameworks, such as the NOREA Privacy Control Framework, the ISO27701 Standard for Privacy Information Management and our internally developed KPMG Privacy Framework. All privacy assurance reports based on one or more of these frameworks provide organizations with valuable insight regarding their compliance with the GDPR. The advantage of using the NOREA Privacy Control Framework is that it comes with the possibility to obtain the Privacy Audit Proof logo which can be publicly displayed on for instance a website.
In case your organization is interested in obtaining assurance on specific processing activities or services, we have developed a process helping you to go from ‘unmanaged’ to ‘in control’. If necessary, we will start with a readiness assessment to get an overview of what structures, policies and governance you already have in place. Based on this, your organization will receive recommendations on issues that need to be improved to be able to get an assurance report. Depending on the progress your organization has made, a pre-assessment can take place. Our colleagues will determine, based on this pre-assessment, if the required design (e.g. policies, et cetera) is in place. After this, a Type I audit can be started. This means that our professionals will perform a detailed check-up of the design and implementation of the controls created to mitigate the privacy risks of your service.
In the first year, if you meet the control objectives from the NOREA Privacy Control Framework, you can obtain the NOREA ‘Privacy Audit Proof’ logo, which you can display publicly. In order to keep the aforementioned logo after the first year, your organization will have to complete a Type II audit without any issues. A Type II audit concerns the design, implementation and operating effectiveness. During this audit, our colleagues will test the operating effectiveness of the controls for your service (based on a minimum period of 6 months). If this all goes according to plan, you can maintain the ‘Privacy Audit Proof’ logo. The logo can be publicly displayed for all the world to see, just like privacy certifications!
Privacy Maturity Assessment
For many organizations, there is still a lot to be done in order to get the ‘Privacy Audit Proof’ logo. An assessment by the Assurance team will then be a bridge too far, which makes a Privacy Maturity Assessment a proper first step in the right direction. A Privacy Maturity Assessment will give you insight into where you stand as an organization and what still needs to be done for privacy to be an integral part of your organization.
We believe that the privacy maturity of organizations can be divided into five levels: initial, managed, defined, quantitatively managed and optimized. Your current maturity level will be assessed by leveraging our proven privacy methodology and framework. Our framework focuses on twelve pre-defined privacy domains providing an integral viewpoint of being in control regarding the processing of personal data within your organization.
Maturity level five is in general – of course – the highest aim, but it all depends on the ambitions you have for your organization and what level fits your organization best. Depending on your current maturity level, the investments you want to make, estimated risks and expected revenues, we can advise you on the steps needed to reach a higher maturity level and, eventually, obtain a ‘Privacy Audit Proof’ logo.
How can KPMG help?
Achieving the assurance described in this blogpost is a great way of showing that your service is in line with the GDPR, especially with the absence of the GDPR certificate. However, it is an intensive process, especially when there is an urgent need to establish trust with your clients and/or stakeholders. Therefore, we can assist and guide you through any preparations you need. This way, your organization can already build its trustworthy reputation regarding data privacy and cyber security, until you are ready to make your way towards that NOREA ‘Privacy Audit Proof’ logo. With the help of our Privacy Management Framework, we can assist with implementing and maintaining your platform, tailoring it exactly to the needs and reality of your organization so that you can put your new way of working with data privacy to good use as soon as possible and be in good shape for a privacy assurance procedure with our colleagues!
Do you need assistance in any data privacy related matter, or would you like to look at a new approach to efficiently manage your data privacy procedures and governance in a way that feels trustworthy to you? Let’s get into contact and discuss what solution we can offer that fits your organization best.