The GDPR introduces a new mechanism for certification as an element of the accountability of data controllers and processors. Certification is stipulated in Articles 42 and 43 and should play an important role in acquiring a high level of data protection. However, it is still unclear what role certification will play in practice. This is not only the case because the mechanism is new, but is also the result of the GDPR itself which leaves essential issues open. Member States, DPAs, accreditation bodies, certification bodies, the EDPB and the Commission all have to play their role. We may expect a variety of national certifications and, at EU level, the European Data Protection Seal. Moreover, GDPR certification does not stand on its own, but closely relates to certification in, for instance, information security. This panel will discuss questions such as:
• What is the purpose of certifications and codes of conduct?
• What are the pros and cons of the different GDPR certification options and which option can better serve the underlying purpose?
• What can we learn or leverage from information security certification?
• Are there any common grounds of GDPR certification with the cybersecurity certification, stipulated in the draft EU Cybersecurity Act?
• What are the factors to consider in EC adoption of implementing and delegated acts?