Exponea Becomes the First SaaS Company to Get GDPR Certified by LL‑C

Katarina KarmazinovaGeneral

Exponea Becomes the First SaaS Company to Get GDPR Certified by LL‑C

Exponea, AI-enabled marketing automation platform, enhancing data analytics for e-commerce clients like Misguided, became European pioneer in GDPR certification issued by LL-C.

In the wake of data privacy scandals, toppled by the recent ICO fines to Flybe and Honda for sending unwanted emails ill-prepared for GDPR, an independent audit of companies controlling and processing data could be not just a good idea, but a necessity. With 33% of global businesses still unready for the looming legislation, valid GDPR certifications could see a surge of interest especially in E-commerce due to the nature of their business and possible risks to their reputation.

GDPR is a legislation with teeth and has an impact on all companies that control and process data. According to GDPR, data controllers (like E-commerce) are responsible to pick a secure data processor (SaaS/marketing cloud), whom they pass the data for further profiling.

That is why data processors like Exponea, an advanced data management platform empowering E-commerce, got audited by LL-C – an independent organisation that proved its competence by international standards and operates in 55 countries.

There are many certification schemes that offer assurance. However, none is specified in the GDPR like the system of product certification according to Regulation (EC) No 765/2008. This is what makes the GDPR certification unique.

“To audit Exponea, LL-C followed the same product certification procedures applied to the issuance of the accredited ISO/IEC 17065/2012 certification,” explained Lenka Gondova, who consulted Exponea in its preparation for GDPR as its DPO. “Exponea then followed the mechanisms of getting a certification defined in the GDPR legislation,” she added.

  • The GDPR certification is valid for three years with an annual surveillance audit.
  • The main risks linked to the new data subject rights spin around unclear permissions to collect and process personally identifiable information (PII), and gray areas in the legislation when data processing can be justified on the basis of legitimate interest without a previous consent.
  • The biggest challenge for a data processor like Exponea is to be technically able to handle any request from its end customer prescribed by GDPR data subject rights – whether it is data deletion, anonymisation, data download or objection to customer data processing.

All the GDPR work does not end with May 25th – it is an ongoing process. There will be new explanations by authorities, first warnings, reprimands and fines. Even certified companies will need to stay up to date.

Read GDPR e-book