Expert Blog: Seals and Sharks

October 26 16:02 2017 Print This Article

Your organisation is going to have to provide evidence of compliance with GDPR from next May. In the words of Elizabeth Denham, “GDPR expects businesses to put data protection accountability at the centre of their business processes. “1.

This relates to a significant changes from the Data Protection Act to GDPR. The DPA said ‘Here’s what we’d like you to do to achieve compliance’ while GDPR says ‘Prove it’

Evidence of compliance is required by Article 24 (“…controller shall …be able to demonstrate that processing is performed in accordance with this Regulation”) and will be required by supervisory authorities, but will also be required by your business partners.

Article 26 talks about joint controllers and making arrangements available to data subjects.

Article 28.1 requires controllers to ensure their processors are compliant – “the controller shall use only processors providing sufficient guarantees … that processing will meet the requirements of this Regulation…”

So what can you do about this evidence? How much, covering what, and who does it?

One immediate answer comes in the form of Codes of conduct (article 40) and certification (article 42). I’m very surprised there has been so little discussion of this area … yet. These articles provide the facility for organisations to be tested and approved for compliance, and to be allowed to use a seal that proves it. Like the ISO 9000 kitemark, these seals provide all the evidence a supervisory authority or business partner needs that you comply. Evidence of compliance is reduced from an audit / inspection / DPIA to pointing at the seal and saying “We’re compliant”

Until some enterprising organisation takes the bull by the horns and comes up with a certification scheme (they need to be independent and savvy … which sounds like a job for the GDPR Institut), probably the best option is to push for a Code of Conduct to be developed by your trade body.

I’m a great believer in adopting a herd mentality when it comes to compliance with new regulation, and this is no exception. Really, go and push your trade body and ask them when they are going to produce a Code of Conduct for GDPR, so you can have a seal.

The alternative is to take a swim with the sharks. My inbox is drowning in companies offering services to help me comply with GDPR, and I’m sure I’m not alone. Not all of them are sharks of course, but it’s difficult to see who has the pointy teeth in all the thrashing. I’d much rather swim with a seal than a shark.


view more articles

About Article Author


View More Articles
write a comment


  1. ShamrockInfoSec
    November 01, 13:44 #1 ShamrockInfoSec

    Iain, well put indeed.
    The only caveat I see is with the compliance analogy you refer to in the form of the ISO 9000 series (could have been 27000 series as well).
    My experience says that another pointy teethed animal is at play in a lot of cases here too, it’s called the paper tiger.

    Reply to this comment
    • iain_heron
      November 01, 20:41 iain_heron

      Thanks for the response ShamrockInfoSec – with your nickname I can see why you propose the ISO 27k analogy. I keep mentally refering back to my GDPR programme principles – ‘GDPR is not an IT programme, it’s a business change programme’ so I try to focus on a more business orientated compliance standard.

      Reply to this comment

Add a Comment