How Long Does Europrivacy Certification Take if We’re Already GDPR Compliant?

Europrivacy certification challenges

I attended the 2024 Privacy Symposium in Venice, where (among many other topics) we talked about Europrivacy™^/® – challenges, developments, processes, etc.

One talk that I found especially interesting was by the DPO (data protection officer) of the first organisation in the world to receive Europrivacy certification.

It gave insight into how long Europrivacy certification takes: at least seven months – even if you’re already compliant with the GDPR (General Data Protection Regulation). For comparison, you can achieve ISO 27001 certification in three to four months.

Let’s look at some of the Europrivacy challenges my privacy colleagues and I have been seeing.

The Target of Evaluation takes longer than you think

The DPO at the Symposium explained that the ToE (Target of Evaluation) alone took months to complete, which corresponds to what other organisations are experiencing. The ToE is one of the most time-consuming parts of the Europrivacy certification process by far.

The ToE is a report similar to a scope statement for an ISO 27001 ISMS (information security management system). If your organisation is applying for Europrivacy certification, you must provide information like:

• A description of the data processing activity you want to have certified;
• The purposes for which you’re collecting and processing the data;
• The approximate number of data subjects; and
• Applicable categories of personal data.

Your ToE must also list data processors for in-scope processing activities. This can be much harder than you think! With supply chains as complex as they are nowadays, it takes time to identify all processors, then narrow it down to the most critical ones for that particular activity.

Selecting your processing activities to get certified is a time-consuming process, too. Large organisations in particular may have hundreds of activities that involve personal data, so making the right decision on which to include for your certification is tricky.

In short: be aware that determining your ToE – i.e. your scope of certification – can take months. But it’s also vital to make sure you get it right.

GDPR compliance isn’t enough for Europrivacy certification

Organisations tend to think that if they’re GDPR compliant, Europrivacy certification will be straightforward.

But in the case of the organisation represented at the Privacy Symposium, certification still took many months, even though this organisation is extremely aware of its privacy obligations. And this time frame isn’t an outlier – applicants underestimate their data protection obligations.

Part of the issue is that people forget that Europrivacy certification requires more than just GDPR compliance. It also requires:

1. Compliance with national data protection laws

Organisations tend to focus on their GDPR obligations, thereby forgetting their national data privacy obligations. So, while you may be GDPR compliant, are you also meeting local data protection laws?

When you apply for Europrivacy, you need to complete a NOCAR (National Obligations Conformity Assessment Report).

This report features a growing list of data protection obligations, including national privacy laws, that organisations may need to comply with. Applicants will need to determine which they must meet and ensure they’re compliant.

2. Meeting sector- and processing-activity-specific requirements

Another part of Europrivacy requires you to meet ‘complementary contextual checks and controls’, including controls for:

• Smart cities;
• Public websites;
• The IoT (Internet of Things);
• Automated decision-making;
• Biometric, medical and health data;
• AI (artificial intelligence) and data analytics;
• Blockchain and distributed ledger technology; and
• Data anonymisation and pseudonymisation solutions.

This list is non-exhaustive, but gives you a sense of the types of activities covered.

As part of the certification process, where your in-scope processing activity falls into one of these categories, your assessor has to conduct certain checks.

These are standard checks, outlined in a formal checklist of controls, created by the ECCP (European Centre for Certification and Privacy). This checklist also aligns the controls with the relevant EU GDPR article(s).

If you go for Europrivacy certification, your consulting company will guide you through the process, so don’t worry too much about this. Just recognise that this adds another layer of compliance that goes beyond the GDPR requirements.

Benefits of Europrivacy certification

At this point, you might be questioning whether Europrivacy is a worthwhile investment. Why not just ensure GDPR compliance, and leave it at that?

Specific technical and organisational measures

For one, Europrivacy addresses a drawback of the GDPR, particularly in terms of the ‘integrity and confidentiality’ principle and Article 32.

Although the Regulation requires “appropriate technical and organisational measures” – mentioning them no less than 18 times – the GDPR isn’t specific on what those measures should look like. The granularity of the checks and controls required under Europrivacy makes it easy to understand what to do to comply.

Plus, these checks and controls are regularly updated in line with regulatory changes, new guidance, and so on, helping you maintain compliance.

Prove your GDPR compliance

Many organisations claim to be GDPR compliant – but few can conclusively prove it. What’s more, existing certification schemes and mechanisms – like ISO 27001 – tend to be autonomous.

Put differently, they’re not specific to any legislation.

ISO 27001, for example, simply focuses on information security – which is definitely a good thing, don’t get me wrong! Achieving ISO 27001 certification shows your commitment to data security, plus can qualify you for new business opportunities.

But, in itself, ISO 27001 certification can’t prove your GDPR compliance, nor your compliance with any other legislation.

Europrivacy certification, on the other hand, provides conclusive evidence of your GDPR compliance.

(Also, Europrivacy incorporates many ISO 27001 measures, so if you already have ISO 27001 certification, implementing Europrivacy will be significantly easier.)

You may be less GDPR compliant than you think

Many organisations sincerely believe they are GDPR compliant, so they look into Europrivacy certification as the next logical step.

Specifically, they expect Europrivacy to be fairly straightforward, since they’re already GDPR compliant. However, they’ve often underestimated the non-GDPR data protection requirements they must meet.

More than that, they’re not as GDPR compliant as they believe.

I’ve largely found this comes down to a lack of accountability. It’s things like:

• Having a ROPA (record of processing activities), but not updating it at least annually; and/or
• Implementing a data retention schedule, but lacking evidence that you’re sticking to it.

To generalise, organisations have put in the hard work of creating the right documentation – processes, policies and procedures – but aren’t generating records to prove those processes are working as they should.

One exercise that can help with this is to create data flow maps. These help you understand critical information like what lawful basis you’re relying on and who your data subjects are. They’ll also help you generate the correct documentation, particularly if you use dedicated software for this.

Looking ahead

A lot of exciting work is going on behind the scenes:

Europrivacy and GDPR Article 46

The Europrivacy team is adapting the Europrivacy certification to meet the GDPR Article 46 requirements in relation to international transfers.

Once approved by the EDPB (European Data Protection Board), it’d mean that the Europrivacy certification could be used as an approved mechanism for international transfers, offering a far higher level of assurance than, say, SCCs (standard contractual clauses).

Europrivacy extensions for other EU laws

In addition, Europrivacy has developed a Europrivacy criteria extension for the ePrivacy Directive. This is a dedicated extension that can be used to certify compliance with the ePrivacy Directive, as well as the GDPR.

Other complementary extensions are currently in progress, including for the Data Act, the Data Governance Act and the AI Act. These three extensions will provide a mechanism for demonstrating compliance with each of these acts.

Interprivacy

An additional certification, Interprivacy, will come to fruition soon.

To be clear: Europrivacy is the accredited certification for EU and EEA countries only. Interprivacy, on the other hand, will be the equivalent certification for non-EU and non-EEA countries. Global organisations will be able to certify against both schemes.

Got more Europrivacy questions?

GRC International Group – which trades as GRC Solutions – is an official Europrivacy partner.

As such, we’ve been evaluated and selected based on our track record and expertise in data protection.

Only the official partners are authorised by the ECCP to deliver Europrivacy-related services. You can find a full list of official partners on the Europrivacy website.

Want to learn more about Europrivacy or need support with your GDPR compliance?

We’re here to help.