Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification

Research output: Contribution to journalArticleScientificpeer-review

Abstract

The paper shows that adherence to a code of conduct (CoC) offers small
and medium enterprises (SMEs) an interesting option to a certification obtained under Article 42 of the General Data Protection Regulation (GDPR). Adhering controllers or processors benefit from similar rights to the one attached to certification without having to demonstrate conformity with the content of the CoC. Moreover, CoCs offer a set of customised guidelines, approved by a data protection authority (DPA(s)) that are accessible for free and designed to facilitate GDPR implementation. The functional scope that might be covered by CoCs is already wider than the one offered by certification, allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. Nevertheless, using a CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails the risk of inconsistencies between one member state and another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources, and accreditation will require hiring additional specialised profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.
Original languageEnglish
Pages (from-to)1-21
Number of pages22
JournalJournal of Data Protection & Privacy
VolumeVol. 3
Issue number1
Publication statusAccepted/In press - 30 Jun 2019

Fingerprint

data protection
certification
regulation
accreditation
hiring
conformity
shortage
coverage
monitoring
responsibility
resources

Keywords

  • Certification
  • codes of conduct
  • GDPR
  • data protection law

Cite this

@article{59b756644c5e4401af0d5c064a8a3aa0,
title = "Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification",
abstract = "The paper shows that adherence to a code of conduct (CoC) offers smalland medium enterprises (SMEs) an interesting option to a certification obtained under Article 42 of the General Data Protection Regulation (GDPR). Adhering controllers or processors benefit from similar rights to the one attached to certification without having to demonstrate conformity with the content of the CoC. Moreover, CoCs offer a set of customised guidelines, approved by a data protection authority (DPA(s)) that are accessible for free and designed to facilitate GDPR implementation. The functional scope that might be covered by CoCs is already wider than the one offered by certification, allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. Nevertheless, using a CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails the risk of inconsistencies between one member state and another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources, and accreditation will require hiring additional specialised profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.",
keywords = "Certification, codes of conduct, GDPR, data protection law",
author = "Eric Lachaud",
year = "2019",
month = "6",
day = "30",
language = "English",
volume = "Vol. 3",
pages = "1--21",
journal = "Journal of Data Protection & Privacy",
issn = "2398-1679",
number = "1",

}

Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification. / Lachaud, Eric.

In: Journal of Data Protection & Privacy, Vol. Vol. 3, No. 1, 30.06.2019, p. 1-21.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification

AU - Lachaud, Eric

PY - 2019/6/30

Y1 - 2019/6/30

N2 - The paper shows that adherence to a code of conduct (CoC) offers smalland medium enterprises (SMEs) an interesting option to a certification obtained under Article 42 of the General Data Protection Regulation (GDPR). Adhering controllers or processors benefit from similar rights to the one attached to certification without having to demonstrate conformity with the content of the CoC. Moreover, CoCs offer a set of customised guidelines, approved by a data protection authority (DPA(s)) that are accessible for free and designed to facilitate GDPR implementation. The functional scope that might be covered by CoCs is already wider than the one offered by certification, allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. Nevertheless, using a CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails the risk of inconsistencies between one member state and another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources, and accreditation will require hiring additional specialised profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.

AB - The paper shows that adherence to a code of conduct (CoC) offers smalland medium enterprises (SMEs) an interesting option to a certification obtained under Article 42 of the General Data Protection Regulation (GDPR). Adhering controllers or processors benefit from similar rights to the one attached to certification without having to demonstrate conformity with the content of the CoC. Moreover, CoCs offer a set of customised guidelines, approved by a data protection authority (DPA(s)) that are accessible for free and designed to facilitate GDPR implementation. The functional scope that might be covered by CoCs is already wider than the one offered by certification, allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. Nevertheless, using a CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails the risk of inconsistencies between one member state and another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources, and accreditation will require hiring additional specialised profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.

KW - Certification

KW - codes of conduct

KW - GDPR

KW - data protection law

M3 - Article

VL - Vol. 3

SP - 1

EP - 21

JO - Journal of Data Protection & Privacy

JF - Journal of Data Protection & Privacy

SN - 2398-1679

IS - 1

ER -