The European Commission study on certifications provided national authorities and the EDPB with indications and clarifications on methodologies, rules, roles and responsibilities and on international standardization norms.
With the principles of awareness and accountability, strongly recalled by the GDPR, the Controller is called to "ensure" and be able to "demonstrate" that the processing operation is compliant with the regulation. What to do to achieve that? What elements should be considered? How to manage the implied risks?
Risk is a crosscutting concept in the Regulation, embracing the risk for rights and freedom and the risk for processing operations. How can it be managed? Are Risk assessment and DPIA models consistent?
The certification, introduced by the articles 42 and 43 and indicated by the above mentioned Commission study, provided powerful tools for demonstrating compliance with the GDPR. Regulation 2016/679 has identified ISO/IEC 17065: 2012 as the norm for accreditation of certification bodies, supported by the EDPB guidelines 4/2018. Why this standard and not another?
With the newly defined EU Wide Certification Models, the issue has affected the entire European panorama, placing institutions in front of a cultural and operational transposition problem: how to certify? What controls for those who certify? Which competences for auditors?
The debate analysed the current opportunities at European level in the area of certifications, through the words of the Tilburg researchers, the representatives of the EDPB, the EDPS and of the Osservatorio 679 board.
Patrizia Toia, MEP, IT S&D
Nicola Danti, MEP, IT S&D
10:00 – 10:10 Opening remarks by Roberto Viola, Director General DG Connect, European Commission
10:10 – 10:20 A memory of Giovanni Buttarelli by Gianluca Buttarelli
10:20 – 10:30 Introduction, Riccardo Giannetti, Osservatorio679 President
Part 1: From risk assessment to accountability tools
10:30 – 10:50 | Eric Lachaud University of Tilburg, the Commission Study on Art.42 and 43 of the GDPR EC Study on article 42/43 – Main takeaways from market scan
10:50 – 11:10 | Marco Moreschini, Osservatorio 679 member EC study: EuroPriSe and ISDP10003, two operational examples in scope Art. 42
11:10 – 11:30 | Rosario Imperiali - Lawyer, expert on privacy and data protection law
The demonstration process and tools to demonstrate the accountability
11:30 – 11:50 | Riccardo Giannetti – Osservatorio 679 President
GDPR Risk based - specific and non-specific certifications
Part 2: Debate on Guidelines 1 - 4/2018 and Annex 1 - 2 from theory to practice
12:00 – 13:00
Riccardo Giannetti, Osservatorio679 President
Bruno Gencarelli, Head of Data Protection Unit, DG Justice, European Commission
Massimo Attoresi - Data Protecion Officer, EDPS
Rosario Imperiali - Lawyer, expert on privacy and data protection law