Santa’s getting certified – but its not what you think!

GDPR and Certification – what’s the story?

Articles 42 and 43 of the GDPR pave the way for GDPR Compliance Certification, seals, or marks:

The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.

The European Data Protection Board (“EDPB”) was very quick off the blocks in 2018 issuing early guidelines but as of December 2021 there are no formally certified European GDPR Compliance Seals. Word is that we are getting closer and 2022 will be the year that some of the first EDPB approved EU-wide GDPR certification seals will finally be available.

So why is Santa keen to see certification seals emerge?

Well first off Santa is processing Children’s data at scale. Santa has welcomed the Irish Data Protection Commissions work on the Fundamentals for a Child-Oriented Approach to Data Processing. He is in favour of the principle that Children’s data should be afforded additional protections and he wants certainty that his workshop is hitting the standards he expects.

Santa is thinking about certifying his own North Pole operations for his own peace of mind and to protect his hard-earned reputation with his small customers and their parents.

He knows he is running his Santa’s Workshop operations in the North Pole as a tight ship and his DPO Elf is a reliable fellow, but Certification is going to bring an extra level of comfort.

The discipline of preparing for the rigours of a certification exercise will bring his compliance to the next level. The certification itself is an independent verification that goes well beyond the DPO Elf reassuring him that “Everything is good Santa!”.

Certification helps to verify the supply chain

Now Santa has a pretty complicated supply chain. I know the party line is that everything is made in Santa’s workshop, but truth be told, its as much as the elves can do to keep up with the deliveries and get everything on the sleigh in time.

Santa is looking forward to dealing with Certified suppliers because its going to solve one of his main supply chain worries – how can he really assess whether his suppliers are compliant? Santa knows that there will be consequences for the North Pole Operations if he is dealing with suppliers who aren’t taking GDPR compliance as seriously as he does. One weak link in his supply chain can have serious implications.

Santa does his best to vet his suppliers but let’s be honest Santa’s skills lie elsewhere. He can check a Data Processing Agreement (“DPA”) with the help of his DPO Elf and they have a pretty good due diligence questionnaire for his suppliers. This helps deliver some comfort, but a really deep supplier verification exercise requires more, and Santa always worries that he just doesn’t have the skills to spot the weaknesses in those due diligence responses.

With time and expertise under the enormous pressure of an unmovable annual deadline Santa knows that Certification would do a lot of the heavy lifting for him..

Let’s make a list….

What are the benefits of certification for Santa and his suppliers?

• Independence – Every certification has to be submitted and validated by an independent body.
• Consistency – The standards are set by the EU, certification schemes must go through a rigorous process for approval and anyone who receives a seal must have demonstrated that they are meeting those standards.
• Rigour – As anyone who has gone through a Certification for ISO27001 will attest, this is something that requires commitment and hard work. The entire organisation is put through its paces. It’s impossible to complete an external processor evaluation with the same rigour that would be applied during a certification evaluation.
• Demystification – Santa is sourcing new HRIS Software this year for the North Pole Operations. Santa’s HR Elf is, let’s face it a HR expert – not a GDPR expert and not a software solutions expert. Being able to choose from GDPR Certified solutions, with a recognised EU wide Certification mark, is going to make for an easier life for Santa’s HR Elf.
• No Nasty Surprises – No matter how good Santa’s due diligence process is, there’s always the chance of getting something that he hadn’t bargained for. The risk always materialises when something goes wrong and that’s when it becomes obvious that the software has compliance gaps or the supplier’s breach management process isn’t what it should be. Santa only wants to deliver good surprises after all!
• Efficient use of resources –Certification can be used as evidence of compliance across multiple engagements as long as the certificate is in-date and the scope is relevant to the engagement. Santa knows that as a controller who performs large scale processing on Children’s data, GDPR compliance is a must and certification is a logical next step on Santa’s compliance journey.  Suppliers with certification are more likely to get into Santa’s magic circle in 2022 than those without.

If you are a supplier to Santa’s North Pole Workshop operations – well, you know what is on Santa’s present list for 2022!

Marie Murphy and Tricia Higgins are experts with the Europrise Certification Seal which recognises privacy compliance of IT products and IT-based services with European data protection regulations. The Europrise certificate aims to facilitate an increase of market transparency for privacy relevant products and an enlargement of the market for Privacy Enhancing Technologies and finally an increase of trust in IT.