News
In today's digital world, data protection is of fundamental importance. In the face of increasingly sophisticated cyber threats, it is more important than ever for companies to protect personal data from misuse and unauthorised access. At the same time, companies that take the protection of sensitive customer data seriously strengthen their reputation and long-term customer relationships.
With certification in accordance with Art. 42 GDPR, companies objectively demonstrate the proper implementation of the legal requirements of the General Data Protection Regulation. The certification focuses on data processing with regard to IT products, services or within the company. This makes GDPR certification relevant for all organisations that process and/or store personal data using IT-supported processing operations. The certificate issued is formally valid for a maximum of 3 years.
True to the motto "Good things come to those who wait", the data protection year 2025 will be characterised by certification in accordance with Art. 42 GDPR. Although the requirements for certification under Articles 42 and 43 were already created when the GDPR came into force, the underlying process for approving certification schemes is complex and time-consuming. TÜVIT is currently in the accreditation process with its own certification programme. The first tests and certifications are expected to be possible from the end of Q2 or beginning of Q3 2025.
Certification in accordance with ISO 27701 is another option for independently verifying fulfilment of specific data protection requirements. The international standard expands an existing information security management system (ISMS) in accordance with ISO 27001 to include data protection. This includes requirements and guidelines for the protection of privacy and the handling of personal data. Although this is not directly a GDPR certification, ISO 27701 can be used as a basis for integrating the requirements of the General Data Protection Regulation into an existing management system. In this way, companies establish a data protection information management system (PIMS) that takes equal account of the security of information and the protection of personal data.
At present, ISO 27701 certification still requires prior certification in accordance with ISO 27001. However, this will change in the future. With the publication of ISO 27701:2024, which will take place in 2025, a separation from ISO 27001 is planned. This means that, unlike its predecessor, ISO 27701 is to be understood as an independent management system standard. This means that the data protection information management system (PIMS) will become an independent system that can be set up and implemented independently of ISO 27001. This makes the standard interesting for a larger number of organisations.