Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

TIIME 2017: Session 12 Open Conformity Access Scheme for GDPR

(Colin Wallis)

It's not so much the technical doing but the strategic and marketing thing if there is a demand, and how do we encourage it, who do we need to influence, the writing is not that difficult. If we look at the market there are likely already GDPR schemes and they usually work with the likes of Deloittes, KPMG, etc. We know that they are around but also that they are closed. These guys are building criteria against their own set of requirements. They have their own conformity assessment, so you have to be in their club and pay.

Colin : The other thing is IAPP (International Association of Privacy Professionals), my sense is that they probably have something but then I haven't actually done the research. They certainly got stuff on their website, heaps on GDPR.

Allan : That does not sound like their model. They are professional organization as opposed to conformity organization. More like to prepare professionals for GDPR requirements.

Colin : Then you have the Data Protection Agencies. There are 28 of them that potentially could be DPAs who are in scope because every organization has to associate itself with a DPA. You have to create an association before the enforcement date because you have to tell them if you have a breach and they have to know that you are operating as well. So there is a question whether a DPA would afford looking for one. It might create some assessment. Would they go as far as a full-blown third-party assessment scheme that might induct with a trust market? Doesn't make sense. So that's why we are left with a scheme that is not the IAPP, not the DPA, but most certainly not Deloittes, but an open scheme which has been created by the community.

Allan : The thing about this is that there is no value there for the community. In order to be able for it to be a conformity assessment, they need to be assessed. You need to have an agreed upon a framework for that assessment to be acceptable. If you go to an open scheme and you get a commitment from the DPA, you are meeting the compliances of GDPR. We need to find out who are the people responsible for it.

Heinrich : We are talking about equivalents from the identity schemes. In the 90s they started with this eID stuff and each of our 500 million citizens should have the right to get a legal identity from the state. But the state said go home we will never do a pan European thing. It comes down to a similar thing for GDPR.

There is an EU issue regulation and a requirement for conformance and penalty for non-conformance.

Colin : Paul Nemitz (Director of Human Right in the Justice DG at the EC) and is the person to ask and he is based in Brussels. We would have to talk to him and see.

Allan : The GDPR itself does have capability within the regulation for certification bodies. I don't know who I was having the conversation with, and I believe that is the perfect thing to look at. We need to find out what it takes to be accepted in that set of bodies.

Colin : Let's assume that that is possible that we can build a scheme that could be approved by the Justice DG then is there going to be a market for it. We are making an assumption that there will be. Is there a difference for market demand from within the EU and outside of it? Given that it's a big bother, how would we approach it? The theory is if we are going to build it, we will build it by section or principle. We might have to turn something up straight away and would it be "how to structure a scheme in parts?", "What do we think that would be? A gold, silver bronze level? A degree of conformance."

Allan : The GDPR doesn't seem to have degrees of conformance. They do give a list of potential items.

Allan : The articles 42 and 43 are about certification bodies. (1)

There is a however a problem because on 43 (see reference (1) below), Article 55 is also important. (See reference (1), article 55)

Allan : There is a little bit of specification on how that happens.

Colin : When they are talking national authorities are we talking about the Deloittes, IAPP DPA etc.?

The certifying body has to be certified by the relevant EC department otherwise it won't work.

Ruth : In Article 29 working party, they find about certification bodies ..

This working party was set up under the European Commission. The WP has been going on for quite some time.

All of the assessors would be ISO certified or equivalent. We don't have one, if we put it so that its ISO certified and assessed by our assessors. It's a start.

There is a liability as the penalties are not insignificant. One reason why it will cost a lot. But what would be interesting is that if one was to go into this business, it's very careful which clients you choose.

Allan : The question is its quite easy, and if someone doesn't have the requirements, they can't be certified. It's great to go to Google as one could go to them, they would pay and they wouldn't get much out of it. There is an interesting aspect. An interesting point that struck me is an American using an American service completely in America simply on vacation, in EU simply using a service that is in the US that is liable for GDPR. It's simply transiting a network enough to trigger the process because of some physical presence. However, there is no data processing in EU, no permanent in the EU, does that count? I think that the GDPR would be well suited to leave that alone, as it's an appeal in court for that to happen. The data is not processed in the EU nor is it EU data. If this is true it might bring a good aspect for US customers. A server that is established in the US for a particular community with absolutely no expectation that there is nobody looking outside of the US looking at it but it might be me looking at their schedule from the EU. Is it under the jurisdiction of GDPR or not?

Reference to all articles (1) http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf