Companies inside and outside the European Union are feeling the impact of GDPR–and if you’ve noticed the glut of complex and long-winded cookie notifications, you can see why. Businesses looking to operate data processing infrastructure or collect data in the EU must comply with GDPR. To streamline the process, the EU recently approved a central certification mechanism called Europrivacy.
What Is GDPR?
The General Data Protection Regulation, or GDPR, is the governing set of standards and requirements for data processing in the European Union. To address the rapidly (and often radically) shifting IT and data protection landscape, the EU implemented GDPR as a forward-looking regulation that protects citizen-consumers rights while allowing the data-based industry to flourish.
GDPR is generally considered the world’s strictest set of data regulations due in no small part to its approach to data privacy and accountability. Some of the unique principles of this framework include:
- Data Ownership: Under GDPR, ownership of personal data is ascribed to the consumer or citizen (called the “data subject”). Unlike other standards, GDPR codifies specific rights to data subjects, including the right to demand disclosure of their personal information held by a business and to demand correction or deletion of that data. Additionally, companies are prohibited from selling customer information to third parties.
- Notification and Consent: Organizations may not collect personal information or sign users up for marketing or data-based initiatives without explicit consent. Data subjects must give consent through documented and logged mechanism, and the form of consent must clearly state the purpose of the data collection. The organization may not utilize that data for any purpose other than that stated in the consent form.
- Response Times: Any request for information (whether the disclosure of information, the correction of information, or the deletion of information) from a data subject must be fulfilled within 30-45 days, depending on the request.
- Company Hierarchy: GDPR requires businesses with regulated IT systems to have a Chief Data Officer on staff whose sole job is managing the organization’s compliance with GDPR.
- Penalties and Fines: GDPR levies stiff fines against companies that do not comply with regulations. These can extend up to €20 million or 4% of worldwide annual turnover from the previous year, whichever is greater. These fines are intended to appropriately punish large tech companies who may have little or no incentive to adhere to regulations with smaller fines–for example, Amazon Europe received a fine of €476 million for misleading disclosure statements, the largest fine on record.
How Does Europrivacy Relate to GDPR Compliance?
Europrivacy is a certification scheme for GDPR conceived of by the European Data Protection Board (EDPB). There are several ways to get a certification for GDPR, all of which involve working with an assessing organization certified under one of several authorization bodies.
The problem with this is those different organizations all offer certifications in distinct and sometimes fragmented ways. For example, some organizations may find that compliance with ISO 27001 is enough to get them to GDPR compliance. Companies in the U.S. might work with specific certifying bodies with a slightly different approach.
Europrivacy is the first attempt to standardize GDPR compliance under a single seal of approval. Although the standard is in its earliest stages of rollout, there are some basic steps that all companies will need to follow:
- Preparation: Organizations will apply the scheme to their data processes and demonstrate that they can protect consumer data in line with GDPR standards. These processes, called Targets of Evaluation (ToE), must be documented to show that they align with GDPR standards.
- Assessment and Certification: A Europrivacy-approved assessor will evaluate any ToE based on GDPR and Europrivacy criteria and, if necessary, address any non-conformities. If the organization is certified, the assessed processes (under the organization’s name) will be published in an online registry of certificates.
- Monitoring: Certificates are valid for three years and include yearly surveillance audits. After this period, the organization must have the ToEs recertified.
How Does Europrivacy Impacting Compliance in the EU?
GDPR governs every participating state in the EU, meaning thousands of organizations and data-gathering and processing mechanisms. While decentralized auditing and certification can support compliance in the short run, centralizing GDPR requirements brings stability to the certification process.
Some of the additional benefits of Europrivacy include:
- Transparency: Europrivacy is created and maintained by the European Data Processing Board, comprised of data protection authorities from around the EU. As such, the standards created are openly available to businesses and assessors.
- Clarity and Standardization: Following the transparency of the standard, the centralized certification process ensures that there aren’t any murky areas where businesses and assessors have to check out proper practices. The Europrivacy standard is clear and open and provides a solid framework from which universal standardization can be deployed throughout the EU.
- Risk Reduction: Europrivacy will provide assessors and businesses with the tools they need to close gaps in compliance and security. This helps these organizations mobilize risk-based GDPR requirements and reduce their security and legal risk.
- Reputation: Companies with the Europrivacy seal show their customers that they are dedicated to proper GDPR compliance–not just in general but along actual EU guidelines.
Europrivacy was approved on October 10, 2022, and is currently being rolled out in EU territory with plans to extend the standard to other participating countries. In time, Europrivacy may become the sole recognized GDPR certification mechanism.
Prepare for Europrivacy and GDPR with Lazarus Alliance
Europrivacy is shaping up to be the new standard for GDPR compliance, which means streamlined audits and, ideally, a standardized compliance approach. Lazarus Alliance is an experienced GDPR-ready security firm that can help you prepare for the future of GDPR compliance.