Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
Section 5.1 What can be certified under the GDPR?
50. The EDPB considers that the GDPR provides a broad scope for what can be certified under the GDPR, as long as the focus is on helping demonstrate compliance with this Regulation of processing operations by controllers and processors (Article 42.1).
51. When assessing a processing operation, the following three core components must be considered, where applicable:
1 personal data (material scope of the GDPR);
2 technical systems -the infrastructure, such as hardware and software, used to process the personal data; and
3 processes and procedures related to the processing operation(s).