Illusory GDPR certifications
Our clients often ask the question “How will we demonstrate that our company is GDPR compliant?”
On the Internet, you can find a lot of organizations, that offering to issue a certificate that will show the whole world that your company complies with the Regulation. And, of course, the confirmation will allegedly be signed by an international association.
For some, such a piece of paper will seem like an opportunity to insure against the risk of inspections organized by Supervisory authorities, and to prove that they care about customers.
And they will also convince you that such a certificate is necessary, adding information about how well you fulfill the information security requirements, and the principles of transparency, confidentiality, integrity, accessibility in the exercise of the rights of data subjects, and so on, so on, so on …
However, all this creates the illusion: a piece of paper will cover up the company in the event of an audit by a supervisory authority and reassure partners who might ask before the start of interaction whether you have a personal data register.
So why an illusion? Currently, there is no worldwide uniform certification according to Article 42 of the GDPR. Therefore, all certificates, diplomas and certificates of “100% GDPR compliance” that can be posted on the site are nothing more than a marketing gimmick. And, rather, its presence, on the contrary, casts doubt on those who are in the subject.
In fact, any company that sells stationery today can develop its own certificate of compliance with the Regulation tomorrow, and the day after tomorrow claim that it conducts checks on compliance with the GDPR rules and is authorized to issue confirmations.
Summing up, why is a GDPR compliance certificate not your option for a company?
Firstly, the supervisory authorities are well aware that there is no official certification, it has not been developed and is unlikely to appear soon. That is why they are well aware that a company that uses this type of confirmation is probably not taking any active steps to comply with the GDPR.
Second, companies that actually follow the rules of the Regulation know that there is no official certification. They will probably ask a reasonable question: “Why are you deceiving and misleading us?” This can be a serious blow to the reputation of a self-respecting company.
! But a specialist (not a company) can get a certificate. The presence of experienced personal data protection officers can be proof of the organization’s commitment to comply with the rules of the Regulation. For example, you can become a Certified Data Protection Professional by taking the only regular GDPR course in Russian from Sergei Voronkevich, a Certified Information Privacy Professional and Manager.