Daily Archives: June 23, 2016

The Bavarian DPA Issues Paper on Certifications Under the GDPR

On June 22, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (“GDPR”). The GDPR will become effective on May 25, 2018.

This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding.

The GDPR allows DPAs to issue data protection certifications to companies. According to the Bavarian DPA, such certifications would allow companies to demonstrate that their data processing activities comply with the requirements of the GDPR; however, certified companies must still comply with the law and can be subject to supervision by DPAs. Nevertheless, the Bavarian DPA states that certification can still be beneficial for companies in the event of a DPA investigation. According to the DPA, it is important that companies applying for certification have a thorough knowledge of their data processing activities and have documented them in a transparent manner. Furthermore, the DPA stated that companies that already have data processing inventories and good data protection management will be able to fulfill the essential requirements for certification.

The DPA emphasized the requirements of the GDPR that a certification should be issued for a maximum period of three years and that certifications can be withdrawn if companies no longer meet the requirements for such certification.

The Bavarian DPA believes that certification under the GDPR has great potential and can provide clarity as to whether data processing operations comply with legal requirements under data protection law. In particular, the DPA thinks that certification could be beneficial for cloud-providers as it would allow customers and individuals to get a better understanding of the level of compliance in relation to specific products. However, this requires that new practical certification processes be developed and existing certification processes be updated accordingly.

Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further… The UK … Read More

Enterprise Security Weekly #7 – Web Application Scanning

This week on Enterprise Security Weekly, tenable makes a strategic partnership to ease authenticated vulnerability scanning, avast announces a much faster antivirus engine, Risksense unveils cyber risk scoring that allows some other kind of scoring that you might be familiar with, and alert logic goes into the cloud. All that and more, so stay tuned!

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode7