Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
Section 6.1 Existing standards
69. Certification bodies will need to consider how specific criteria take existing relevant instruments, such as Codes of Conducts, technical standards or national regulatory and legal initiatives into account. Ideally, criteria will be interoperable with existing standards that can help a controller or processor meet their obligations under the GDPR. However, while industry standards often focus on the protection and security of the organisation against threats, the GDPR is directed at the protection of fundamental rights of natural persons. This different perspective must be taken into account when designing criteria or approving criteria or certification mechanisms based on industry standards.