GDPR-CARPA stands for GDPR-Certified Assurance-Report based Processing Activities certification mechanism
It is developed by the Commission Nationale pour la Protection des Données (the ‘CNPD’) in Luxembourg with the objective to provide the data controllers and/or data processors with a high level of reasonable assurance that they have set up, implemented and that they are operating technical and organisational measures to comply with the GDPR for the processing activities in scope of the certification.
The GDPR-CARPA certification scheme is a voluntary process to assist controllers and/or processors in supporting their demonstration of compliance with the GDPR to other businesses, to a supervisory authority or to the data subjects, meaning that they demonstrated the existence and implementation of appropriate measures for the protection of personal data as required by the GDPR.
Grant Thornton Audit and Assurance S.A., Luxembourg as a certification body
Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is officially accredited by the Commission Nationale pour la Protection des Données (the ‘CNPD’) in Luxembourg to provide GDPR-CARPA certification services against the GDPR-CARPA certification criteria.
GTAA has defined a step-by-step approach toward certification.
- Application for certification and acceptance
- Engagement set-up
- Execution of the audit and evaluation
- Assurance report
- Certification decision and delivery of the certification
- Monitoring of the certified activities
- Annual re-certification
1. Application for certification and acceptance
Any applications for GDPR certification services are reviewed by GTAA to make sure that the subject matter of certification is aligned with the admissibility criteria of the GDPR-CARPA scheme, and that there are no professional or independence restrictions for GTAA to get involved in the attestation engagement.
GTAA may reject an application for GDPR certification services, or refuse to maintain a contract with an existing client, if fundamental or demonstrated reasons exist (as specifically related to the scope of certification), such as:
- The (potential) client participating in illegal activities, having history of repeated non-compliances with certification requirements, or similar client related issues, OR
- The application, the (potential) client, the requested services or the existing services conflict with GTAA’s standards and polices established on a local or group level; OR
- The (potential) client and/or engagement (no longer) satisfy GTAA’s acceptance and continuance requirements.
Once the certification application is accepted, GTAA adheres to drafting and sharing the proposal, including relevant details about the scope, fee and planning.
2. Engagement set-up
Upon confirmation of the proposal, GTAA will propose an engagement letter which outlines the terms of the ISAE 3000 attestation engagement in alignment of the professional standards applicable to the audit profession, as well as the GDPR-CARPA specific requirements of the GDPR-CARPA certification scheme. Depending on the arrangements with the prospect client, the engagement could envisage the issuance of an ISAE 3000 report on the test of design first, and an ISAE 3000 report on the test of design and operational effectiveness at a later point in time.
The ISAE 3000 engagement on the test of design provides assurance over the fairness of the presentation and description of the client entity’s system and the suitability of design and implementation of the controls as at a specific date. The ISAE 3000 engagement on the test of design and operational effectiveness provides additional assurance over the operating effectiveness of the controls throughout the evaluated period.
The ISAE 3000 report on the test of design might be used in a transition phase towards obtaining an ISAE 3000 assurance report on the test of design and operational effectiveness. A GDPR certificate is effectively supported only by an ISAE 3000 assurance report on the test of design and operational effectiveness.
3. Execution of the audit and evaluation
During the audit GTAA focuses on evaluating the design and operational effectiveness of the data protection controls in place for the processing activities in scope based on the GDPR-CARPA certification criteria. During the evaluation GTAAuses appropriate evaluation methods as defined by ISAE3000 that consider the specifics of the mandate’s scope and client’s organisation. The evaluation methods may involve different procedures or a combination thereof (inspection, observation, confirmation, re-performance and inquiry).
4. Assurance report
This phase involves the review of the audit activities by the lead auditor and the quality reviewer. The output of this phase results in a certification decision.
5. Certification decision and delivery of the certification
The certification decision in based on the evaluation documented in the ISAE3000 assurance report.
A positive certification decision is issued if the assurance report contains an unqualified opinion. In case of a qualified opinion, a positive certification decision could be issued for a reduced scope limited to the part of the subject matter that is not affected by the qualification.
The positive certification decision is followed by the issuance of a GDPR certificate. Information for all certification decisions is kept public on GTAA’s website.
6. Monitoring of the certified activities
GTAA performs monitoring on the certified activities within the period of the initial certification. The monitoring is the annual re-performance of the assurance audit for the purposes of extending the validity with one more year within the overall three-year certification period.
7. Annual re-certification
The initial GDPR certificate is valid for a period that equals the period covered by the ISAE 3000 assurance engagement (minimum 6 months, and maximum 1 year) and could be renewed for up to 3 years. Every year (at the ISAE 3000 engagement anniversary) GTAA performs a new ISAE3000 assurance engagement for the same scope of processing activities covered by the initial GDPR certificate.
GTAA plans and implements the evaluation activities to allow performance of a review in an effective manner in terms of scope, timing, direction of the engagement.
Evaluation methods include, where applicable:
- A method for assessing the necessity and proportionality of processing operations in relation to their purpose and the data subjects concerned;
- A method for evaluating the coverage, composition and assessment of all risks considered by controller and processor with regard to the legal consequences pursuant to Articles 30, 32 and 35 and 36 GDPR, and with regard to the definition of technical and organisational measures pursuant to Articles 24, 25 and 32 GDPR, insofar as the aforementioned Articles apply to the object of certification, and
- A method for assessing the remedies, including guarantees, safeguards and procedures to ensure the protection of personal data in the context of the processing to be attributed to the object of certification and to demonstrate that the legal requirements as set out in the criteria are met; and
- Documentation of methods and findings.
The evaluation methods are reviewed and re-adjusted at the occurrence of relevant changes, such as changes in the legal framework, the relevant risks, the state of the art and the implementation costs of technical or organisational measures.
Process to ensure impartiality
GTAA has well established processes to ensure the impartiality of the certification services all along the certification process. Risks to impartiality are monitored and identified in accordance with the procedures in place. In order to safeguard impartiality, GTAA follows the restrictions on providing audit and not-audit services to the client.
Any potential impartiality or conflict of interest issues are documented and resolved prior to client and/or engagement acceptance.