European Data Protection Supervisor
European Data Protection Supervisor

Data Protection Certification Model - From risk management to accountability tools. The European transposition of the GDPR

Data Protection Certification Model - From risk management to accountability tools. The European transposition of the GDPR

Tuesday, 15 October, 2019
15
Oct
2019

Data Protection Certification Model - From risk management to accountability tools. The European transposition of the GDPR

/file/20191015101614jpg_en20191015_101614.jpg

The European Commission study on certifications provided national authorities and the EDPB with indications and clarifications on methodologies, rules, roles and responsibilities and on international standardization norms.

With the principles of awareness and accountability, strongly recalled by the GDPR, the Controller is called to "ensure" and be able to "demonstrate" that the processing operation is compliant with the regulation. What to do to achieve that? What elements should be considered? How to manage the implied risks?

Risk is a crosscutting concept in the Regulation, embracing the risk for rights and freedom and the risk for processing operations. How can it be managed? Are Risk assessment and DPIA models consistent?

The certification, introduced by the articles 42 and 43 and indicated by the above mentioned Commission study, provided powerful tools for demonstrating compliance with the GDPR. Regulation 2016/679 has identified ISO/IEC 17065: 2012 as the norm for accreditation of certification bodies, supported by the EDPB guidelines 4/2018. Why this standard and not another?

With the newly defined EU Wide Certification Models, the issue has affected the entire European panorama, placing institutions in front of a cultural and operational transposition problem: how to certify? What controls for those who certify? Which competences for auditors?

The debate analysed the current opportunities at European level in the area of certifications, through the words of the Tilburg researchers, the representatives of the EDPB, the EDPS and of the Osservatorio 679 board.

Programme

Moderators:

Patrizia Toia, MEP, IT S&D
Nicola Danti, MEP, IT S&D

Speakers:
10:00 – 10:10 Opening remarks by Roberto Viola, Director General DG Connect, European Commission
10:10 – 10:20 A memory of Giovanni Buttarelli by Gianluca Buttarelli
10:20 – 10:30 Introduction, Riccardo Giannetti, Osservatorio679 President

Part 1: From risk assessment to accountability tools

10:30 – 10:50 | Eric Lachaud University of Tilburg, the Commission Study on Art.42 and 43 of the GDPR EC Study on article 42/43 – Main takeaways from market scan

10:50 – 11:10 | Marco Moreschini, Osservatorio 679 member EC study: EuroPriSe and ISDP10003, two operational examples in scope Art. 42

11:10 – 11:30 | Rosario Imperiali - Lawyer, expert on privacy and data protection law
The demonstration process and tools to demonstrate the accountability

11:30 – 11:50 | Riccardo Giannetti – Osservatorio 679 President
GDPR Risk based - specific and non-specific certifications

Part 2: Debate on Guidelines 1 - 4/2018 and Annex 1 - 2 from theory to practice

12:00 – 13:00
Riccardo Giannetti, Osservatorio679 President
Bruno Gencarelli, Head of Data Protection Unit, DG Justice, European Commission
Massimo Attoresi - Data Protecion Officer, EDPS
Rosario Imperiali - Lawyer, expert on privacy and data protection law

EC Data Protection Certification MechanismsPDF icon
EuroPriSe and ISDP10003:2015 - Presentation by Marco MoreschiniPDF icon
Tilburg Institute of Law, Technology and Society - Presentation by Eric LachaudPDF icon
Data Protection Certification - Presentation by Riccardo GiannettiPDF icon
Accountability - Presentation by Rosario ImperialiPDF icon