A CNPDThe National Data Protection Commission has adopted its own certification mechanism, the GDPR-CARPAOn Luxembourg, this being the first certification mechanism adopted at the national level in accordance with the GDPR.
After being heavily criticized for a long time for not adopting any financial sanctions, the CNPD innovated and pioneered in the field of data protection.by adopting the first certification system in all of Europe for a regulator – a certification that belongs to the CNPD – which will make it possible for all employees, associations, institutions and companies to prove that they are complying with the GDPR guidelines.
Implementing this mechanism brings more credibility, as it denotes greater transparency, allowing users to have tools to assess whether organizations' systems handle their data appropriately, within the standards stipulated by regulation.
Although the certification mechanism does not certify the entire organization, it is important to emphasize that it certifies specific processing operations, and that this certification is based on ISAE 3000, ISCQ1, and ISO 17065 standards, which frame the work done by the certification system and professional auditors.
One of the unique aspects of this CNPD mechanism is that it is based on an ISAE 3000 Type 2 report, which helps ensure the correct implementation of the control mechanism, formally holding the auditor accountable and thus guaranteeing a level of confidence above average, a fundamental factor within the GDPR context.
"The numerous exchanges that the CNPD has had with auditing professionals since the GDPR came into effect in 2018 have helped determine the value, as well as the type of GDPR certification that could be useful in the Luxembourg ecosystem. CNPD said about its new mechanism.
In a statement, the CNPD also said: “In consultation with these actors, the CNPD developed an initial version of its certification mechanism. Subsequently, the other European data protection authorities examined these criteria under the consistency mechanism and the European Data Protection Board (EDPB).”
The role of certification mechanisms in the GDPR
Os certification mechanisms Data protection regulations exist to verify compliance with the handling of personal data, with the aim of demonstrating adherence to regulations by controllers and processors.
In Luxembourg, the CNDP (National Commission for Data Protection) is responsible for accrediting these GDPR certification systems, using criteria based on the ISAE 3000 (auditing), ISCQ1 (quality control of auditing bodies) and ISO 17065 (accreditation of certification bodies) standards.
The fact is that consumers are more demanding when it comes to their personal data, and they want transparency. Today, the way companies handle and store personal data is a key factor in determining whether or not a consumer will establish and maintain a relationship with that company.
Gradually, data security criteria are being incorporated into consumer purchasing behavior, which means that companies that are not currently considering ways to work transparently are already one step behind.
In this context where data protection has become a priority, the creation of certification mechanisms to bring more truth to the processes is more than welcome.
