With GDPR enforcement activity increasing are you looking for ways to demonstrate GDPR compliance? Many companies have already invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including Article 30 records of processing, Article 35 DPIA reports and much more. But how do they demonstrate to internal stakeholders, clients, partners and other external stakeholders that they have well-designed and implemented programs and that their processes and products are GDPR-compliant?
One possible avenue companies might consider to demonstrate compliance is through codes of conduct and/or certifications. The obstacle to pursuing these routes for demonstrating GDPR compliance at this time is that no certification bodies have yet been accredited nor have any official codes of conduct or certifications been issued. It also is not known when such codes of conduct and GDPR certifications will become available.
In the absence of authorized GDPR codes of conduct and certifications, some have suggested that companies pursue alternative codes of conduct and certifications. For example, some companies have become members of the General Assembly of the EU Cloud Code of Conduct. For alternative certifications, some companies are pursuing an ISO / IEC 27001 certification. However, since security standards are designed to map against the “CIA triad” of confidentiality, integrity and availability, a model designed to guide policies for information security within organizations, the ISO 27001 security standard represents only a partial fit for coverage against the requirements of the GDPR.
One alternative step might be for companies to obtain an EU-US Privacy Shield Verification or APEC Cross-Border Privacy Rules (CBPR) Certification, both of which have significant overlap in terms of privacy objectives and controls. Obtaining these certifications can lay the foundation for a company to later qualify for the official GDPR certification once it becomes available, but they do not represent complete solutions.
In the absence of an official GDPR certification, many companies are pursuing external validations to help show customers, business partners and other stakeholders how they are addressing GDPR requirements. Companies are seeking efficient, independent ways to benchmark and report on their compliance efforts now. The TrustArc GDPR Validation is designed to meet that need.
The TrustArc GDPR Validation requirements are mapped to each applicable Article of the GDPR, Article 29 Working Party / EDPB guidelines, ISO 27001 and other relevant standards. Companies choosing the GDPR Validation can demonstrate their GDPR compliance efforts and status using intelligent technology-powered assessments, managed services and independent compliance validation. The solution is powered by the Assessment Manager module of the TrustArc Platform to simplify the process of managing assessments, identifying gaps, reviewing remediation recommendations, assigning tasks, recording the audit trail of changes and generating reports.
To learn more about GDPR requirements and tips and options to help you demonstrate compliance, read the “Guide to Demonstrating GDPR Compliance.”