The Europrivacy Community and Resources website gathers all relevant information and documents to reduce your risks and to document, check, certify, and value your compliance with data protection regulations. To access these documents and resources, you must have subscribed to the community.

If you are alreadey subscribed, please log in. Otherwise, you are welcome to subscribe through the homepage.

How does Europrivacy solve the dilemma between universal versus specialised certification scheme models?

There are two main categories of certification schemes: universal ones and specialised ones. Both face inherent limitations. The conclusions of the research on this dilemma lead Europrivacy to adopt an innovative hybrid model of certification that combines the best of each conventional models and overcomes their inherent limitations.

Limitations of universal certification schemes

Universal GDPR certification schemes have the advantage to cover all data processing activities and to deliver homogeneous and consistent certifications. However, there is a high probability that a universal certification does not adequately address domain- and technology-specific requirements and risks for the data subjects.

Limitations of specialised certification schemes

Specialised certification schemes focus on a specific category of data processing activity. However, by focusing on specific requirement subsets or highly technical criteria, they tend to ignore other data protection obligations associated with data processing. Specialized certification schemes are often inadequate to certify data processing that tends to be increasingly complex by nature. Let’s consider the example of a data processing collecting data through a smartwatch. This kind of data processing with smartwatches (which are Internet of Things devices) collects biometric data and sends them through a cellular network to a server in the cloud. There the data are usually analysed by artificial intelligence algorithms in order to extract relevant information to be displayed on the smartphone application of the data subject. Using a specialized certification scheme for the Internet of Things would be adequate for the smartwatch part, but would not adequately cover the risks for the data subjects related to the use of Artificial intelligence, health data, or mobile phone applications. Similarly, a specialized certification scheme for processing in the cloud or based on Artificial Intelligence would face the same limitations by delivering only a partial, incomplete and potentially misleading assessment of compliance. 

Figure 1 – Example of biometric data processing based on a smartwatch

Combining several specialised certification schemes for a single data processing activity would be inefficient, costly and not affordable to SMEs. 

A single company can control hundreds of data processing. There are companies interested in certifying all data processing that expose them to legal and financial risks. If they must apply distinct specialised certification schemes for each one of their data processing, they will face problems:

  1. It is unlikely to find specialised schemes for each category of data processing, which would exclude series of data processing from certification.
  2. Preparing certification with many different certification schemes, methodologies, and criteria granularity would make the exercise quite complex, difficult, and time-consuming.
  3. As each certification scheme requires specific training and qualification of auditors, SMEs will most likely have to contract several certification bodies and audit teams to certify their various data processing. 
  4. Having a fragmentation of qualified auditors will make the cost of certification higher. One way or another, the SMEs will be charged for these additional costs and will end up paying for the fragmentation and the multiplication of qualification and administrative costs.

How does Europrivacy solve this dilemma? The Europrivacy hybrid model

To address this dilemma, Europrivacy has developed an innovative hybrid model of certification that combines the advantages of a universal certification scheme (with its comprehensive list of core criteria) together with complementary domain and technology-specific criteria whose application is determined by the Target of Evaluation. In our previous example, a Europrivacy auditor would have to assess the compliance with the Europrivacy Core GDPR Criteria, as well as with the Europrivacy complementary criteria applicable to AI, IoT, Blockchain, and websites. These additional criteria have been developed on the basis of the EDPB guidelines and European research projects with experts in the corresponding domains to address these specific risks for the data subjects.

Figure 2 – Example of Europrivacy Hybrid Model applicability to a biometric data processing

Additionally, for complex cases, Europrivacy has been designed to facilitate combined certifications with other certification schemes and complementary requirements. For instance, in the context of IoT data processing, it is possible to combine a Europrivacy certification with domain-specific standards, such as IEC 62443 or ETSI EN 303 645. This approach enables to ensure a systematic, comprehensive, and highly reliable assessment of data protection.

error: Content is protected !!