In June 2018, the EU issued updated guidance on certification and identifying certification criteria for Articles 42 and 43 of the GDPR.
We are now 18 months further down the road, but there does not seem to be a light at the end of the tunnel.
There was a brief glimmer of hope when ISO 27701 was published in August 2019. But as quietly as this privacy partner to ISO 27001 was released, there has been little progress in determining what constitutes a workable GDPR certification process.
The requirements for a GDPR Certification process
The GDPR certification guidance document sets some interesting hurdles for a certification to be acceptable.
- It must be scalable to allow even medium, small and micro businesses to be certified. This is indeed a challenge for an externally verified certification. The simple process of engaging an auditor to do this work is likely to be cost prohibitive to the average micro business.
- It must be scalable in terms of the risk profile of the data being processed. A small business in healthcare, should have greater scrutiny than a business making widgets.
- It should preferably be agreed at the EU level. Allow minimal variance in what certification means between different member states.
- Certification for companies processing in third countries should have a greater risk profile than a similar organisation that processes within the EU.
- It should not place undue process on the data processor. The expectation is that external audit can certify on the basis of existing documentation and processes in place at the processor. Therefore, no standard templates or rework is envisaged to standardise the approach taken to achieve GDPR certification.
- It needs to demonstrate appropriate technical and organisational controls for the data processing undertaken.
- And it needs to provide sufficient guarantees for the processor to controller relationship.
Given this highly challenging requirement, it seems logical that we have potentially a number of different flavours of certification based primarily on organisation size and whether the data processed constitutes high risk processing.
Micro business certification to the GDPR
At the micro end of the spectrum, it is difficult to see how anything more complicated can be conceived other than something like the Cyber Essentials self-certification to cover the technical controls, with a simple layer of GDPR controls nested on top to cover the key processing controls required under the GDPR.
Allowing self-certification at this lowest level would allow micro businesses to achieve a level of certification that may be required by their client through third party assurance contractual requirements. Currently the guidelines state that the GDPR certification process must be an externally validated certification.
A simple external certification may in the future be supported by cyber insurance providers, where external certification is provided by the insurance provider as a way of limiting their overall underwriting risk.
Remote external validation
Another option is to allow remote certification where the evidence is provided to the auditor without them needing to physically attend site. This would allow for the cost of an audit of a micro company to fall significantly, potentially falling within the acceptable cost category.
There may be service providers specifically set up in the future to provide such remote services, along with appropriate templates and self-help materials for a similarly bargain basement acceptable cost fee.
Clearly as soon as you stray into four figure territory, this become unpalatable to most micro sized businesses. Any solution for this market sector has to be incredibly lean in terms of effort and cost.
Certification determining risk, not the controller
The risk profile scaling is potentially a more contentious issue. Historically, certification schemes like cyber essentials and ISO 27001 have ensured that the organisation under review is free to set their own risk appetite, and justify the controls applied accordingly.
This risk profiling idea within the guidelines seems to indicate that you can fail to be certified if you do not align with the risk expectations of the Certification scheme and by extension, the Authority. This is a slippery slope, as it creates great rigidity in the application of controls.
This implies that an organisation is no longer free to apply its risk appetite and tolerance to a situation, but must strictly adhere to the classification placed on it by the certification scheme.
This would almost certainly require the organisation to rework a number of controls in line with a strict definition of acceptable risk provided by the certification. It goes against the principle of minimal rework effort for the organisation under review in point 5 above.
One size fits all certification nirvana
This would lead to a highly templated vanilla risk approach to certification which would be very inflexible to any controls innovation, or threat evolution. This is clearly not the intention deduced from the other guidelines put forward in the same document and limits the scope for “state of the art” controls assessment that the EU Guidelines are looking for.
This also applies to certification marks and their use under GDPR certification schemes. If we are to consider something like an “Approved GDPR Healthcare” mark, clearly the expectations from the clients would be that all such certifications are following the same rules and are applying controls in a very similar way.
The detailed annex of controls
The annex provided in these guidelines effectively sets a minimum baseline for the controls that any certification scheme is looking to validate.
Quite a few of these minimal requirements require a reasonably long and thorough explanation of the processes followed and the controls applied. This is most probably something that a micro organisation would not consider as business as usual, as extensive documentation is not something that most micro organisations see value in. If you are a one-man-band organisation, who exactly are you writing this documentation down for? Clearly it is not something to be communicated across the organisation unless you want to speak to yourself a lot.
The minimum requirement laid down by the guidelines is not conducive with the idea of micro companies becoming certified.
If the intention truly is for these guidelines to be applied to the certification of micro organisations, some clear guidance as to what can be dropped should have been provided, because as they written currently, the guidelines apply only to larger enterprises and are cost and effort prohibitive to smaller organisations.
A timeline for a timeline
In the UK, the ICO had been expected to release its views on certification and accreditation in the Summer of 2019, with publication expected in Autumn 2019.
I have reached out to the ICO for comment and I will update this article with any response to either me directly, or any update that the ICO make to their guidance and timelines on certification. [Updated: Well, that was quicker than expected. I reached out to the ICO on the 19th Dec and got a response of the 20th. Blimey! An update has been posted on the ICO website here, on UKAS being designated as the accreditation authority for GDPR certifications in the UK. Still not massive progress, but progress never the less.]
I do not envy the ICO’s task here in trying to achieve what seems like the impossible. Taking a very prescriptive and complex certification guidelines process that can be taken up by micro companies at low cost and complexity. And to then align this across the entire EU to ensure a level playing field between certification schemes across Europe.
In my view, this can only be done if the EU admit defeat and provide different certification schemes at different levels of organisation size. My view is there are at least three versions of certification here. One at the very small level, one at the Enterprise level that represents the Gold standard, and something in the middle. Without this kind of layering this certification exercise will not meet its goal of broad acceptance.
We await to see how the ICO and UKS intend to proceed, or indeed any other Authority across Europe who want to be first out of the blocks on this one.
We already have a model for applying the same requirements on businesses from micro to enterprise businesses, PCI. Start with broad strokes of what is needed along with some specific requirements, and move onto detailed requirements certified by a third party for the enterprises. Hopefully an approach like that would lead smaller businesses with a disproportionate amount of personal data to move over to service providers who could create certified compliant services. Any volunteers to create a service that secures and manages personal data in a compliant manner?