GDPR and Certification

Published on: 1st August 2018

We’ve had a few instances of people asking us about how to attain ‘GDPR Certification’.  Let’s be clear – there is no such thing.  You can’t be ‘certified compliant’ with GDPR any more than you can be with, say, VAT legislation.  No organisation would be willing to accept the liability of rubber-stamping a company as “fully GDPR compliant”. Data Protection regulations, such as GDPR and DPA18,  are a new fact of business life – you need to build compliance into your business processes and cultural behaviourin the same way that you build compliance with VAT legislation into your day-to-day invoicing and accounting activities.

However, what you can do is pursue various qualifications and certifications that help show that you are taking seriously Personal Data Protection and wider Cyber Security issues.  Such certifications include Cyber Essentials and IASME – the latter is designed to cover more of the topics you need to think about to help you get and stay on your journey to GDPR-compliance.

Of course, whether or not you choose to seek these certifications, you still need to do the basics – record details about your devices, software, third-party relationships and, joining it all together, the Business Purposes for which you hold and process Personal Data.  Why? Not just to cover yourself if you get audited, but because by doing so you will be better prepared to handle any Subject Access Requests or Data Breaches, and most importantly, you will identify the actions you need to take to make your organisation safer and more resilient.  Your customers will thank you, and you’ll sleep better at night.  Sweet dreams!

PYXI GDPR Team: 1st Aug 2018 08:31:00