In today’s complex digital landscape, protecting your organisation and the data it processes is critical – both from an operational and a regulatory point of view.
However, if you operate in multiple jurisdictions and are bound by various data protection regimes, demonstrating the security of your practices to the satisfaction of all relevant authorities can be a challenge.
This is especially true when it comes to protecting personal data.
The concept of data sovereignty is well established around the world, with personal data subject to the laws of the country in which it is collected. This means many data protection laws have extraterritorial scope.
For instance, the EU GDPR (General Data Protection Regulation) applies beyond the EEA:
- To personal data processing carried out on behalf of data controllers or processors in the EU;
- To the processing of EU residents’ personal data in relation to offering them goods or services, or monitoring their behaviour; and
- Where EU member state law applies by virtue of public international law.
The GDPR is acknowledged around the world as a ‘gold standard’ when it comes to data privacy legislation, affording personal data a level of protection largely unmatched elsewhere.
This means that by complying with the GDPR, non-EEA organisations will have implemented most of the measures they will need to comply with other data protection laws, and extending their GDPR compliance projects to cover other laws should be relatively straightforward.
This also means that mechanisms to demonstrate your compliance with the GDPR can be extended to cover other data privacy requirements.
The European Data Protection Seal
For organisations that want to demonstrate their GDPR compliance, Europrivacy™/® certification is well worth pursuing. It is the first GDPR certification mechanism as defined by Article 42 of the Regulation and is recognised in all 27 EU member states.
However, if you have numerous, overlapping, obligations to meet, you might be surprised to know that Europrivacy was also designed to help organisations demonstrate their compliance with other, non-EU laws and regulations.
How do you achieve Europrivacy certification?
To achieve certification, organisations must meet, among others, the Europrivacy GDPR core criteria, which are maintained by the ECCP and its Europrivacy International Board of Experts.
The core criteria allow organisations to assess their compliance with regard to:
- Lawfulness of data processing;
- Special data processing;
- Data subjects’ rights;
- Data controllers’ responsibilities;
- Data processors;
- Security of processing and data protection by design;
- Management of data breaches;
- DPIAs (data protection impact assessments);
- DPOs (data protection officers); and
- Transfers of personal data to third countries or international organisations.
Where applicable, these core criteria are supplemented with:
- Complementary contextual checks and controls to assess technology and domain-specific obligations; and
- Technical and organisational measures checks and controls to assess security requirements.
Extending your Europrivacy certification to cover other jurisdictions
Europrivacy certification can be extended to demonstrate compliance with other, non-EU data privacy laws by applying complementary national criteria, known as Europrivacy national extensions.
This will enable Europrivacy-certified organisations to attest that their data processing practices align with the GDPR’s requirements, as well as with other relevant laws and regulations.
It is not yet known when these national extensions will be made available, or which authorities will recognise Europrivacy certification as a demonstration of compliance with their own domestic laws.
How can IT Governance Europe help?
Alongside our sister companies IT Governance UK and GRCI Law Limited, we offer a comprehensive range of services to organisations that wish to certify that their data protection practices comply with the EU GDPR and relevant national data protection laws.
IT Governance Europe is at the forefront of helping organisations implement GDPR-compliant processes and achieve certification to standards and frameworks such as ISO 27001, ISO 27701, Cyber Essentials, the PCI DSS (Payment Card Industry Data Security Standard), and others.
Our highly experienced consultants, supported by GDPR-specific tools and processes, can work with clients all over the world to ensure their data processing practices meet the Europrivacy standard and are fit for certification.
As a Europrivacy official partner, GRC International Group has been evaluated and selected on the basis of its track record and expertise in data protection.
Only the official partners are authorised by the ECCP to deliver Europrivacy-related services. You can find a full list of official partners on the Europrivacy website.
Europrivacy is an international trademark registered in several jurisdictions.