GDPR-compliant software: certifications and proofs

Introduction: Why GDPR compliance with software is crucial

Short: In today's digitalized business world, software is the backbone of countless processes.

In today's digitalized business world, software is the backbone of countless processes. Personal data is processed everywhere from customer management to marketing to accounting.

Since the entry into force of the General Data Protection Regulation (GDPR) in May 2018, companies have the duty to ensure the protection of these data.

The selection and use of software plays a central role. But what do you see if a software solution really meets the strict requirements of the GDPR?

This article highlights which certifications and evidence are relevant for DSGVO compliant software and what companies should pay attention to when selecting.

What does "GDPR-compliant software mean?

Short: A software is not "compliant with GDPR".

A software is not "compliant with GDPR". Conformity always depends on concrete use in the company. Nevertheless, a software must create the technical and organizational conditions to enable data protection-compliant operation.

The core principles of the GDPR, which are at the forefront of this, are "Privacy by Design" and "Privacy by Default" (data protection by data protection by data protection-friendly defaults).

This means that the software must be developed from scratch so that it supports data protection and uses the most data-saving settings by default.

Specifically, a data protection-compliant software should offer the following functionalities:

• Shift binding: Data may only be processed for the specified, unambiguous and legitimate purpose.
• Data minimisation: Only the data that is absolutely necessary for the purpose are collected and processed.
• Laws of persons affected: The software must enable users' rights (device, correction, deletion, etc.) to be easily and timely implemented.
• Safety of processing: Ensuring confidentiality, integrity, availability and resilience of systems through appropriate technical and organizational measures (TOMs).

Certifications as proof of conformity

Short: Certificates can be an important indication of the privacy of a software.

Certificates can be an important indication of the privacy of a software. They provide an independent confirmation that certain standards are complied with.

Is there an official "GDPR certification"?

Short: A frequently asked question is the "GDPR certification" which is officially recognized by the state.

A frequently asked question is the "GDPR certification" which is officially recognized by the state. The short answer is: No.

To date, there is no uniform seal accredited by the data protection authorities, which certifies a software standard GDPR conformity.

Although Article 42 of the GDPR provides for the possibility of such certification procedures, the implementation in Germany is slow. Companies must therefore:

References and further reading

Short: The following independent references complement the topics in this article:

The following independent references complement the topics in this article:

• Bitkom – German digital industry association
• German Federal Office for Information Security (BSI)
• European Commission – Digital strategy
• MDN Web Docs (Mozilla)
• W3C – World Wide Web Consortium

"ERP programmes rarely fail on software selection; they fail on unclear process ownership."

— Björn Groenewold, Managing Director, Groenewold IT Solutions