Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR

Section 5.3  Evaluation methods and methodology of assessment

61. A conformity assessment to help demonstrate compliance of processing operations requires identifying and determining the methods for evaluation and the methodology of assessment. It matters whether the information for the assessment is collected from documentation only (which would not be sufficient in itself) or whether it is actively collected on site and by direct or indirect access. The way in which information is collected has consequences for the significance of certification and should therefore be defined and described.

Procedures for the issuance and periodic review of certifications should include specifications to identify the appropriate level of evaluation (depth and granularity) to meet the certification criteria and should include the provision of:

• information about and specification of the applied assessment methods and findings collected e.g. during on site audits or from documentation,

• evaluation methods focusing on the processing operations (data, systems, processes) and the purpose of processing,

• identification of the categories of data, the protection needs and whether processors or third parties are involved,

• identification of roles and existence of an access control mechanism defined around roles and responsibilities.

62. The depth of evaluation has an impact on the significance and value of the certification. By reducing the depth of evaluation for pragmatic purposes or to reduce the costs, the significance of a data protection certification will be diminished. Decisions on the granularity of the evaluation on the other hand, may exceed the financial capabilities of the applicant and often the capability of evaluators and auditors, too. For purposes of demonstrating compliance it may not always be crucial to reach a very detailed analysis of the IT systems used to remain meaningful.