GDPR-CARPA certification: the first EU operational framework fully operationally
Article 42 of GDPR encourages Data Protection Authorities of EU Member States to establish data protection certification mechanisms, seals and marks, for the purposes of demonstrating compliance. The National Commission for Data Protection in Luxembourg (CNPD), adopted its certification mechanism in May 2022. The mechanism enables accredited companies to issue GDPR compliance certificates for companies and was developed off the back of multiple exchanges between the authority, audit professionals, and experts in the field of data protection. The first consultation on the mechanism took place in 2018, while the European Data Protection Board’s (EDPB) opinion on the mechanism was issued in February 2022.
This certification is currently the strongest possible on the European market, as the entire process is developed by, owned by and under the direct supervision of the Data Protection Authority. Now, for the first time ever, companies across the EU can get a stamp – that lasts for three years – to prove that their personal data management is up to standard.
Since the mechanism was introduced, EY Luxembourg has been accredited with “GDPR Certified Assurance Report based Processing Activities (CARPA)” (GDPR-CARPA), making the firm the first European company authorized to deliver GDPR certifications.
What is the mechanism for companies to obtain the GDPR-CARPA certificate?
“GDPR-CARPA” is a certification which demonstrates, via independent, third-party attestation, that GDPR data protection and privacy safeguards are in place for selected processing activities.
The mechanism provides the highest level of assurance as it is based on the underlying internationally accepted Type 2 of the International Standard on Assurance Engagements (ISAE) 3000, a standard that has been widely used for many years. The distinctive difference from Type 1 is that assurance controls do not only exist “in design” but also in “operational effectiveness” which is assessed over a given period of time, usually one year.
To complete the GDPR-CARPA Certification process, a formal assessment, based on Data Protection Authority evaluation criteria, of the final ISAE 3000 report is performed by the accredited body, EY. The certification decision is then communicated to the Data Protection Authority before the final certificate is granted to the company.
To whom does it apply?
Certification is most beneficial to all companies handling personal identifiable information (PII) and which operate in Luxembourg and Europe. It is also suitable for firms wishing to provide transparency for data subjects and business-to-business relationships, such as, for example, those that exist between controllers and processors.
Why is the mechanism a game-changer?
The certification can help minimize compliance and reputational risks associated with infringements of GDPR. The certification criteria covers three sections relating to 1) data governance, 2) data controllers and 3) data processors.
The certification is not only useful for the certified companies themselves to demonstrate compliance with GDPR, for their auditors and the authorities, but also for investors, business partners and customers who can have a higher level of trust in the way the certified companies are dealing with personal identifiable information.
How do firms get certified?
Certification is granted by firms that are authorized and accredited to do so by the Data Protection Authority, such as EY PFS Solutions. To become certified, the accredited firm, in this case EY PFS Solutions, issues the certificate based on the GDPR CARPA ISAE 3000 attestation report with respect to the client’s specifically selected processing activities.
How EY can help
EY Luxembourg is now authorized to certify the GDPR compliance of your company. There are typically six steps in the GDPR-CARPA Certification procedure, which are unpacked below. EY can support you at each stage of the process. Certification, once issued, is valid for three years.
