Europrivacy: An Expert Overview

What is it, what are the benefits, how does it work, who can apply, and more

Alice Turley is a senior privacy and GRC (governance, risk and compliance) consultant and trainer with IT Governance Europe. She’s also a certified Europrivacy™/® Lead Implementer and Lead Auditor.

She’s provided consultancy on PIMSs and ISMSs (privacy information management systems and information security management systems) across a wide range of industries in both the private and public sectors.

Alice is highly experienced in:

  • Assessing risk;
  • Providing solution-based advice; and
  • Developing compliance, privacy and risk frameworks.

Recently, she published her book Europrivacy™/® – The first European Data Protection Seal.

We sat down to get her expert insight into the Europrivacy seal.

In this interview

  • What is Europrivacy?
  • Who can apply for Europrivacy certification?
  • What are the benefits of Europrivacy certification?
  • How do the Europrivacy scheme and certification process work?
  • What must applicants consider when choosing a consulting company?

What is Europrivacy?

The Europrivacy certification scheme is the first certification mechanism, or data protection seal, that entities can achieve to demonstrate their compliance with the GDPR (General Data Protection Regulation) and other national data privacy obligations.

We really needed a scheme like this. For many years, clients have been asking me to help them become GDPR compliant. I then did that by:

  • Implementing all the GDPR’s requirements; or
  • Conducting an audit to confirm all GDPR measures are in place and effective.

However, it was only when the EDPB [European Data Protection Board] approved Europrivacy that we got a mechanism for organisations to definitively stamp their data processing activities as ‘GDPR compliant’.

The scheme offers a structured approach for organisations globally to demonstrate their GDPR compliance. And, for that matter, to demonstrate compliance with other national data privacy obligations.

What are the benefits of Europrivacy certification?

Well, the GDPR frequently [18 times] mentions the requirement for “appropriate technical and organisational measures” to protect personal data when stored or processed.

But it doesn’t specify a framework on what appropriate technical and organisational measures may actually look like. This has left a gap for organisations to fill.

That’s your first benefit of Europrivacy: providing a detailed framework of those appropriate technical and organisational measures.

Certification therefore allows organisations to conveniently demonstrate that their data processing activities are GDPR compliant. This is an assurance that customers, partners and other stakeholders will welcome. It gives the organisation an edge over competitors – data breaches are constantly in the news, and no one wants to be the next headline.

Then there’s the fact that Europrivacy checks and controls are continually updated to take into account:

  • Any regulatory or legislative changes;
  • Advice and guidance from the EDPB; and
  • Changes to national and domain-specific obligations.

This means that Europrivacy is a very comprehensive privacy certification, covering more than just the GDPR. The seal has global recognition, so it’s receiving a lot of attention from outside Europe, too.

Could you tell us more about how Europrivacy works?

The Europrivacy scheme is based on certifying processing activities. As such, an assessor awards certification at the data processing activity level, rather than to the organisation.

Europrivacy recommends starting with two processing activities for the initial certification. Then, with time, you can extend the certification to include more activities. But that’s only a recommendation – entities can start with just one, or three-plus, processing activities, if that suits their needs and circumstances better.

As for the certification process itself, that’s not dissimilar to the ISO standards. Certification is valid for three years, but an independent accredited certification body must carry out an annual surveillance audit.

Also, the relevant data protection supervisory authority [or authorities] must approve the certification body conducting the Europrivacy certification, surveillance and recertification audits.

What constitutes a ‘processing activity’ under Europrivacy?

The scheme embraces a broad range of data processing operations, including typical activities like:

  • Payroll;
  • Recruitment;
  • Payment processing;
  • Direct marketing; and
  • E-commerce transactions.

But it can also account for new technologies, including:

  • AI;
  • Blockchain;
  • The Internet of Things;
  • Automated cars; and
  • Even smart cities!

Applicants must document the processing activities being assessed in their ToE [Target of Evaluation]. This is a report not dissimilar to a scope statement under ISO 27001.

Who can apply for Europrivacy certification?

Any organisation that processes personal data, whether as a data controller or processor, and no matter their industry or geographical location. Certification isn’t limited to those within scope of the GDPR!

In fact, the scheme is particularly suitable for organisations meeting multiple data privacy obligations.

As part of any organisation’s Europrivacy application, it must complete a NOCAR [National Obligations Conformity Assessment Report]. This is a growing list of data protection obligations, like national laws, that organisations may have to comply with.

Organisations tend to focus a lot on their GDPR obligations. They think that they must simply be GDPR compliant, and that’s it. As a result, they can forget they also have national [and other!] data privacy obligations they need to adhere to.

The NOCAR is great for addressing that issue.

Suppose you’re a UK or Swiss organisation wanting to certify to Europrivacy. At a minimum, you must comply with your national [UK or Swiss] data protection law, as well as the GDPR and the national laws of whatever EU member states your customers are based in. Your NOCAR will account for all those obligations. In addition, work is currently taking place to extend compliance to other non-EU jurisdictions.

Can you talk us through the Europrivacy certification process?

It always starts with applying for certification, validating the scope, and the certification body providing an offer with:

  • All terms and conditions;
  • The scope of certification;
  • A confidentiality agreement;
  • Cost estimates for certification; and
  • Information on the certification process.

After that, things get a bit more complicated. The process differs depending on the type of data processing activities you’re seeking certification for:

  1. Processing related to products, processes and services; or
  2. Processing related to data protection management systems.

However, broadly speaking, they both involve:

  • A documentation review by the certification body auditor[s];
  • The auditor[s] performing testing activities on your measures and controls; and
  • Issuing, maintaining and, in due course, renewing your Europrivacy certification.

The main difference is that for auditing processes related to data protection management systems, you’re looking at a more intensive certification process. It involves more formal steps – such as stage 1 and stage 2 assessments [and reports].

Where do consulting companies come into the process?

While any organisation can apply for Europrivacy certification, it’ll need a consulting company to assist in this process. This is specifically a step in the application process.

When you apply via the Europrivacy website, it’ll match you with a consulting company. Organisations can also approach a consulting company directly.

When you contact a qualified consulting company, it’ll prepare a Europrivacy welcome offer that explains the service provided and costs involved. If you accept the offer, the consulting company will start the implementation process by activating the Europrivacy Welcome Pack for your DPO [data protection officer].

Oh, that’s another thing – Europrivacy certification applicants must have appointed a DPO, or another individual with responsibility for data privacy, whether internally or externally. You must also have records of your data processing activities.

What is the Europrivacy Welcome Pack?

Europrivacy offers its Welcome Pack to all applicants. It contains an introductory Europrivacy training course for the DPO.

That’s alongside access to the online tools and resources on the Europrivacy Community website during the three years of certification. You also get access to the Europrivacy Flash Alerts, with the latest regulatory and criteria updates, for the same three years.

The Welcome Pack contains a few other things too. Organisations can purchase it directly from Europrivacy or from the qualified consulting company.

How can organisations choose the right consulting company for them?

If you’re serious about Europrivacy certification, you really must use a Europrivacy-qualified consulting company – like GRC International Group [the parent company of IT Governance Europe].

Europrivacy maintains the list of qualified consulting companies on its website, which anyone can view.

Looking to take the next step?

Our experts are ready to help you scope your Europrivacy project and figure out your next steps to prepare for certification.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our interview with data privacy and cyber security trainer Andrew Snow on a landmark GDPR ruling by the ECJ (European Court of Justice)?

Alternatively, explore our full index of interviews here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.