Professor Paul de Hert from Vrije Universiteit Brussels discussed EU Data protection, Legislation and Certification in the context of the CRISP project at the CRISP final conference in Brussels 16th March 2017.

1. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
EU Data Protection Legislation &
Certification
Prof. Paul de Hert
Vrije Universiteit Brussel (LSTS)

2. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Outline
What is new with data protection legislation in
the EU?
What is the impact for the security industry?
Data protection and self-regulation
Data protection certification mechanisms
Relevance to CRISP
Conclusions and main points for discussion

3. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
 General Data Protection Regulation 679/2016
 Reform started in 2012 (EC public consultation in 2010)
 679/2016, adopted in 2016 – applicable from May 2018 onwards
 Replaces the Dir 95/46/EC.
 99 articles, 173 Recitals
 Aim to modernise the legal framework the fundamental right to
protection of personal data
 Directive 680/2016
 Reform of legislation on protection of privacy for electronic
communications (2017 Commission proposal for an ePrivacy
Regulation)
What is new with data protection legislation in
the EU?

4. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
What is the impact for the security industry?
 Security manufacturers and organisations that employ security
measures that collect, process, use, store, personal data (e.g.
images of persons) need to comply with the legislation.
 Example: surveillance cameras:
 Manufacturers need to implement measures to facilitate compliance with
the legislation. Such as: data protection by design and data protection
by default. Example: a CCTV system is designed to erase data
automatically or a drone used to blur the image of persons (e.g.
children)
 Organisations that employ security measures: most of the times are data
controllers. They need therefore to comply with the legal obligations
stemming from the data protection legislation.

5. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Emerging field: Data protection and self-
regulation
 The General Data Protection Regulation includes several ‘self-
regulation’ provisions
 Codes of conduct (e.g. in specific sectors cloud computing industry,
marketing, or other)
 Certification
 Standardisation (limited references in the text, relates to certification)
 Data Protection Impact assessments
 Aim:
 help organisations comply with the legislation,
 offer transparency in relation to practices of organisations

6. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Data protection certification mechanisms in the General
Data Protection Regulation
 Art. 42 and 43 GDPR
 Third party conformity assessment – external auditors.
 National data protection certification mechanisms AND possibility for
European Data Protection Seal.
 Main actors involved – controllers/processors, certification bodies,
supervisory authorities (DPAs).
 Emphasis on oversight and control.
 Unclear terminology – ‘certification’ , ‘seals’, ‘marks’ – could lead to legal
uncertainty and non-harmonised application.

7. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Data protection certification mechanisms: Oversight by
data protection authorities
Type Content GDPR Provision
Tasks Encourage the establishment of data protection
certification mechanisms
57(1)(n)
Approve certification criteria 57(1)(n)
Draft and publish accreditation criteria 57(1)(p)
Conduct accreditation of certification bodies 57(1)(q)
Investigative Powers Review issued certifications 58(1)(c)
Corrective powers Withdraw certification 58(2)(h)
Order certification body not to issue or withdraw
certification
58(2)(h)
Authorisation powers Accredit certification body 58(3)(e)
Issue certifications 58(3)(f)
Approve certification criteria 58(3)(f)

8. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
General Data Protection Certification mechanisms:
effects and ‘rewards’
• Voluntary certification
• Certification based on the GDPR does not reduce the responsibility of
the controller or the processor for compliance with the GDPR. (art.
42(4))
• No presumption of conformity with the legal obligations stemming
from the GDPR. The authorities can conduct investigations to certified
organisations.

9. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
So why would organisations be interested to be certified in
line with the new EU data protection law?
 Art. 83 GDPR: supervisory authority, when deciding whether to
impose an administrative fine and deciding on the amount of the
administrative fine should give due regard on whether the controller
or processor has adhered to approved data protection mechanisms
of art. 42
 Data protection transfers (appropriate safeguard without requiring
any specific authorisation from a supervisory authority) – certification
+ binding and enforceable commitments, via contractual or other
legally binding instruments”. (art.44)

10. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Where does CRISP fit in this development?
 CRISP: evaluation and certification of security technologies in
terms of 4 dimensions:
 Security
 Trust
 Efficiency
 Freedom infringement
 Freedom infringement dimension includes data protection
requirements based on the General Data Protection Regulation
 CRISP provides a good assessment to an organisation on
whether it complies with legal obligations.
 Builds on work done by other certification schemes such as
EuroPrise, adapted to new data protection legislation

11. CRISP Final Conference – 16 March 2017 6th CoU Meeting, Brussels
Conclusions –open questions for the panel
discussion
 New EU legislation on data protection affects the security industry
 To what extent different security sectors are affected?
 Manufacturers and organisations need to comply with legal obligations stemming from data
protection law.
 Which obligations can be part of a certification scheme?
 Due to complexity of legal provisions and multitude of obligations, the General Data Protection
Regulation includes self-regulation tools that help organisations be accountable and comply (such
as certification)
 What is the relation of certification with the other tools in the data protection legislation? For instance, standards?
 GDPR Certification is voluntary, includes strong oversight mechanisms from public authorities (data
protection authorities).
 Should it be voluntary?
 CRISP has developed an evaluation methodology which, for its data protection part, takes into
account the new requirements of the new legislation.
 How CRISP’s different dimensions and requirements are interrelated? What happens in case of conflicting
 Going through the CRISP evaluation (and certification) shows to the organisation, and to external
parties, which is the level of data protection of the certified/evaluated organisation.
 Who is the target audience of CRISP certification?

12. Thank you
e:Paul.de.hert@vub.be
12