Q&A About Exponea’s GDPR Certification

Lenka GondovaGeneral

Q&A About Exponea’s GDPR Certification

Ever since we announced that Exponea is GDPR certified, a lot of people asked us what it actually means. To make sure that we answer the most pressing questions, we have prepared FAQ.

1. There is no such thing as GDPR certification yet!

Once it does exist, our certificate will change just by adding an accreditation logo of LL-C once they get accredited.

Our certificate is valid for 3 years with annual surveillance checks and that makes it qualified enough, and during that time the EU will harmonize the schemes and national bodies will accredit established companies as well as new certification bodies. This will allow us all to benefit from the trust that those certificates are supposed to provide to the end consumers or customers using the certified product or buying from certified vendors.

2. Are we prepared enough to get certified?

That question was answered during the audit and answered by auditors. The preparation workload would be a different story. This is not the end, on the contrary, everyday we are finding new opportunities for further improvement and we will have to overcome a lot more challenges.

We also expect changes in the interpretation of GDPR and we are adjusting our system to any new developments.

3. How do we know that we are the first in the world?

Having our GDPR certificate issued in March 2018, we expect that we are the first, making a valid assumption until somebody sends us an earlier certificate according to the scheme, which at that time was named in the GDPR (EC 765/2008).

There are a lot of valuable certification schemes, that we may use for the future as well, if we find value in them, but they did not manage to be named in the GDPR, as was the case for the certification mechanism EC 765/2008.

4. Your GDPR certification isn’t accredited

We are transparent and that is exactly why we are frequently communicating that our GDPR certification is not yet accredited.

Again, as we have mentioned already, there are also other certification schemes that we may use in the future, if we deem them valuable. Yet, none of them were named in the GDPR as was the certification mechanism EC 765/2008.

Closing thoughts

Reactions to our GDPR certification varied, some people congratulated us, others said that an unaccredited certification doesn’t mean anything.

If there are any new requirements, once the EU member states and board expresses the definitive path to GDPR certifications and accreditation requirements, there are transparent mechanisms of a delta audit. This would take place during our certification cycle for the certificate to become accredited, in the scope of a surveillance audit.

GDPR has been here for two years, so changes might happen. Only informal procedures on how to become certified and for certification bodies to become accredited but not in the basic requirements.

The added value of our certificate is that we have someone who is experienced in certifications go through an independent review of all requirements to have independent feedback on our achievements.

The bottom line is that we are doing whatever it takes to make sure that the privacy, as well as the security of our clients and data subjects, are being continuously cared for and that’s what matters the most.

The First Emergency Kit - GDPR Risk Analysis