EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
The first GDPR certification mechanism in Europe is now fully operational
After four years of enforcement of the General Data Protection Regulation (GDPR or “the Regulation”), the European Data Protection Community has taken a major step forward with the implementation of the GDPR-CARPA certification program. Since the Regulation came into force in 2018, Data Protection Authorities across Europe have issued over 1,300 fines of varying sizes. As of November 2022, the sum of fines amounts to over EUR 2 billion. For non-compliance, companies are subject to administrative fines up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. As maturity levels of companies systematically increase over time, so do the fines. As such, penalty avoidance is a huge motivator for compliance.
Companies wishing to demonstrate compliance with GDPR need adequate mechanisms to process and use data in their daily operations. This, in part, explains why investment in the privacy function is on the rise: privacy teams have grown by 12%[1] in 2022.
GDPR-CARPA certification: the first EU operational framework fully operationally
Article 42 of GDPR encourages Data Protection Authorities of EU Member States to establish data protection certification mechanisms, seals and marks, for the purposes of demonstrating compliance. The National Commission for Data Protection in Luxembourg (CNPD), adopted its certification mechanism in May 2022. The mechanism enables accredited companies to issue GDPR compliance certificates for companies and was developed off the back of multiple exchanges between the authority, audit professionals, and experts in the field of data protection. The first consultation on the mechanism took place in 2018, while the European Data Protection Board’s (EDPB) opinion on the mechanism was issued in February 2022.
This certification is currently the strongest possible on the European market, as the entire process is developed by, owned by and under the direct supervision of the Data Protection Authority. Now, for the first time ever, companies across the EU can get a stamp – that lasts for three years – to prove that their personal data management is up to standard.
Since the mechanism was introduced, EY Luxembourg has been accredited with “GDPR Certified Assurance Report based Processing Activities (CARPA)” (GDPR-CARPA), making the firm the first European company authorized to deliver GDPR certifications.
What is the mechanism for companies to obtain the GDPR-CARPA certificate?
“GDPR-CARPA” is a certification which demonstrates, via independent, third-party attestation, that GDPR data protection and privacy safeguards are in place for selected processing activities.
The mechanism provides the highest level of assurance as it is based on the underlying internationally accepted Type 2 of the International Standard on Assurance Engagements (ISAE) 3000, a standard that has been widely used for many years. The distinctive difference from Type 1 is that assurance controls do not only exist “in design” but also in “operational effectiveness” which is assessed over a given period of time, usually one year.
To complete the GDPR-CARPA Certification process, a formal assessment, based on Data Protection Authority evaluation criteria, of the final ISAE 3000 report is performed by the accredited body, EY. The certification decision is then communicated to the Data Protection Authority before the final certificate is granted to the company.
To whom does it apply?
Certification is most beneficial to all companies handling personal identifiable information (PII) and which operate in Luxembourg and Europe. It is also suitable for firms wishing to provide transparency for data subjects and business-to-business relationships, such as, for example, those that exist between controllers and processors.
Why is the mechanism a game-changer?
The certification can help minimize compliance and reputational risks associated with infringements of GDPR. The certification criteria covers three sections relating to 1) data governance, 2) data controllers and 3) data processors.
The certification is not only useful for the certified companies themselves to demonstrate compliance with GDPR, for their auditors and the authorities, but also for investors, business partners and customers who can have a higher level of trust in the way the certified companies are dealing with personal identifiable information.
How do firms get certified?
Certification is granted by firms that are authorized and accredited to do so by the Data Protection Authority, such as EY PFS Solutions. To become certified, the accredited firm, in this case EY PFS Solutions, issues the certificate based on the GDPR CARPA ISAE 3000 attestation report with respect to the client’s specifically selected processing activities.
How EY can help
EY Luxembourg is now authorized to certify the GDPR compliance of your company. There are typically six steps in the GDPR-CARPA Certification procedure, which are unpacked below. EY can support you at each stage of the process. Certification, once issued, is valid for three years.
Summary
EY Luxembourg is the first firm in the EU accredited to deliver “GDPR-CARPA” certifications for your company. GDPR-CARPA is a certification which demonstrates, via independent, third-party attestation and certification, that GDPR data protection and privacy safeguards are in place for selected processing activities. The certification can help minimize compliance and reputational risks associated with infringements of GDPR, and may be of particular interest to all companies dealing with personal identifiable information in Luxembourg and across Europe.