Exponea’s Path Towards GDPR Certification

Lenka GondovaGeneral

Exponea’s Path Towards GDPR Certification

I’m Lenka, Exponea’s DPO and let me share with you the story of our GDPR audit from my perspective.

It all started when our CEO and I met to discuss company objectives and key results (OKR) for the Q1 of 2018.

And it was during this meeting when our CEO asked a simple question “How can we be the first SaaS GDPR certified company in the world?” I couldn’t answer that at this time and I have left with a lot of questions on my mind but without any answer just yet.

I had to consider several pitfalls:

  1. There is no such thing such as GDPR certification yet.
  2. Are we even prepared enough to get certified?
  3. How do we know that there is nobody doing already something in the world that they will finish before us?

During next 3 months, we had to solve most of those to get where we are now.

Evaluating paths to certification

GDPR, in Article 43 mentions Regulation (EC) No. 765/2008 of the European Parliament and of the Council in accordance with EN-ISO/IEC 17065/2012 is one possible option. The other one being that each country sets their own standards, but both must provide comparable results so their principles will be aligned.

Concerning ISO schemes, there are clear rules for transferring the certificate. If an improbable scenario should take place, LL-C would not go through the accreditation process, which in their situation is just an amendment to their existing accreditations for the certification of management systems and product certifications, according to ISO/IEC 17065:2012.

Later in a quarter when we have updated OKRs with CEO, we have discussed, that even if we cannot find any appropriate way to become GDPR certified, we at least want to have an independent audit, that could be used for later certification. When we have discussed possibilities of certifications with our data protection authority, it was obvious that even if we do not have local regulation yet, it will be strongly influenced by the ISO scheme. No wonder, ISO 17065 product certifications are elaborated and the result of the consensus of all countries involved in  ISO standardization mechanism.

As a DPO, for me, the main value in this audit is in an independent check of what we have prepared. I don’t really care if we are first, second or twelfth, the main focus is to get qualified and independent assurance of what is our compliance status.

Of course, as a compliance person, I truly believe in the added value of certifications and those that have to provide the independent and consistent assurance must be based on some sort of accreditation process. But at the beginning of all accreditations were always been some first unaccredited audits.

Two years ago I went through the similar process of adapting the EU legislation to national accreditation and certification system when eIDAS was to be implemented till 2.7.2016. I have promised to myself to go through first accreditations never again! But since that experience and also as an expert to National accreditation body I have witnessed almost same steps to be fulfilled by all new systems of assurance. Somebody must be first and show that it is possible.

So when I was considering our options, it was obvious that unaccredited certificate is almost always possible to turn to accredited later. If there are any new requirements, once the EU member states and board expresses the definitive path to GDPR certifications and accreditation requirements, there are transparent mechanisms of a delta audit. This would take place during our certification cycle for the certificate to become accredited, in the scope of a surveillance audit. But, GDPR has been here for two years, so changes might happen only informal procedures on how to become certified and for certification bodies to become accredited but not in the basic requirements. The added value of our certificate is that we have someone who is experienced in certifications go through an independent review of all requirements to have independent feedback on our achievements.

Anyway, turning our certificate from unaccredited to accredited will be the hard work of certification body, our work would be done after the audit.

The Journey Begins!

We ended up selecting the company LL-C to be our auditor. The voice was obvious because they’ve proven themselves many times to be the certification body pioneers and who certified us to ISO 27001 and ISO 9001 standards in 2017.  LL-C is one of the leaders in the sector, present in more than 50 countries. It holds extensive global accreditations, recognitions, and agreements, always taking into consideration new needs and requirements from different markets and industries.

When we were talking about upcoming ISO 27017 and ISO 27018 audits I have found that they have had already asked their national accreditation body to start the GDPR accreditation process as an amendment to their established accredited product certification system according to ISO/IEC 17065:2012. So they were prepared to start, for them, it was just a bit earlier than they have expected to have first GDPR audit. We agreed that it has mutual benefits to do non-accredited GDPR certification audit and later turn it into accredited during some surveillance audit.

GDPR Changed Exponea’s Mindset

Back in 2016 when we’ve first started hearing the rumors about GDPR, not a lot of people took it seriously at first. What most of us thought during that time was that we are going to “hack it somehow”, it’s not that big of a deal, or is it?

This sentiment was about to change during the upcoming months. A few of our clients started to ask us about GDPR in an ever-increasing frequency and our notion about hacking it started to slowly vanish. Hacking it just wasn’t an option anymore – we needed to take it seriously if we wanted to keep our clients and their customers safe, and of course, we did want that!

The time came for us to uncover what GDPR actually meant.

We’ve read through all available materials and our cocky smiles started to freeze on our faces. We didn’t think that anyone can actually get compliant. We thought that it’s utterly ridiculous. But in time, we started to realize that it’s actually not that impossible, just extremely difficult and we have found a way to do it, although it required the help of everyone in the company.

During the months that followed, we’ve gone through phases of exhilaration when we thought that we are almost done, yet we’ve always found another complication standing in the way and we needed to delve deeper into finding ideal solutions to these newly uncovered challenges.

Since we’ve self-imposed a certification deadline upon ourselves, it forced us to persevere and as the deadline got closer, we’ve increasingly started to feel that we can actually make it and GDPR stopped being the terrifying topic, but something we could be proud on. Somewhere during the process, our mindset shifted and we understood its point and made it our own.

Nowadays we are able to confidently say, that we feel that GDPR is was a great launchpad for our mindset. We’ve learned how to apply a healthy dose of a sanity and to balance the risk levels in a human way while adhering to the underlying essence of GDPR. It taught us to approach our clients’ and their customers’ data with an utmost respect and make sure that it’s secured and used only in the best interest of the data subjects.

Did you miss our Online Webinar? Don’t worry, you can still watch the recording:

Online Webinar: Solving GDPR with Risk Analysis