sobota 7. října 2017

GDPR certification: What is it, and do you need it?

GDPR certification: What is it, and do you need it?
Článek najdete na portálu "" na adrese:
Cituji vybrané myšlenky z článku
How the ICO will measure GDPR compliance, and whether a certificate means anything
-"Companies are promoting all sorts of GDPR training courses that come complete with exams and certificates. Almost all of them, though, are meaningless.
- "Organisations simply need to comply with the GDPR (or at least try to). ...You don't need to prove compliance ... you simply have to be compliant."
How can you demonstrate GDPR compliance?
"There are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
a) Internal policies and procedures that comply with the GDPR's requirements
b) The implementation of the policies and processes into the organisation's activities
c) Effective internal compliance measures
d) External controls
- "All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance.
- "Data controllers ... must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
- "Controllers, ... they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
- "The GDPR is holistic: you have to comply with all aspects of the GDPR."
Are any GDPR certification schemes worth the money?
- "Certainly not if you enter them for the purpose of gaining a certificate demonstrating compliance. 
- "Organisations who undertake their courses may still be found non-compliant by the ICO.
- "Existing schemes, if using the GDPR legislation as their basis, may have some value - the more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant."