During our Privacy Café in Waterloo on the 21th of November 2022, we will discuss the new Europrivacy certification of products and services. Timelex, one of the partners of Europrivacy, will dig into this subject. In this article we already answer some emerging questions.
What is EuroPrivacy?
Europrivacy is a certification schema that can be used to demonstrate compliance with GDPR. This certification scheme can be used to certify products or services and can be seen as an optional way to show compliance to customers, business partners and data protection authorities. This certification, however, will not exclude you from possible enforcement actions by those authorities.
Europrpivacy is the first schema that covers all EU countries. Its criteria have been approved by the EDPB.
What can be certified?
The main idea is that you certify a process, not the entire organization. This means that, for example, you can certify your salary process, your CRM process, … As a result, one might think to certify all business processes accordingly. However, this might have a large impact on your budget. Selecting core processes, based on the sensitivity of it, might be a better scope for your certification.
What is the cost of certification?
In the end, the only answer is that « it depends ». But before you even can think of certification, you will need a welcome pack of 6000 euro per year (valid for 3 years). This will give you access to all the resources needed and the possibility to publish 2 certificates in the Europrivacy registry.
Secondly, you will need resources for the implementation process itself. In order to make your existing processing activity compliant to the scheme, you will (probably) need to adapt changes. If you are in the process of defining a new processing activity, you will have the opportunity to define your product or service in accordance to the scheme, by design.
The third cost will be the certification cost itself. That cost will manly depend on the number of audit days. So scope and complexity will play a role here.
Finally, you will have the maintenance cost. The Europrivacy certificates are valid for three years and monitored through yearly surveillance audits, i.e. one audit within 12 months and another within 24 months after the certificate has been issued.
What are the certification criteria?
The certification criteria (scheme) can be seen as the ‘standard’ that will be used in order to evaluate your product or service. They contain core and complementary criteria, TOMs related criteria, criteria related to the surveillance audits and those that are related to national obligations. As far as we know, the scheme is not published and will only be available when you have purchased the welcome pack.