Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR
Section 5.3 Evaluation methods and methodology of assessment
61. A conformity assessment to help demonstrate compliance of processing operations requires identifying and determining the methods for evaluation and the methodology of assessment. It matters whether the information for the assessment is collected from documentation only (which would not be sufficient in itself) or whether it is actively collected on site and by direct or indirect access. The way in which information is collected has consequences for the significance of certification and should therefore be defined and described.
Procedures for the issuance and periodic review of certifications should include specifications to identify the appropriate level of evaluation (depth and granularity) to meet the certification criteria and should include the provision of:
information about and specification of the applied assessment methods and findings collected e.g. during on site audits or from documentation,
evaluation methods focusing on the processing operations (data, systems, processes) and the purpose of processing,
identification of the categories of data, the protection needs and whether processors or third parties are involved,
identification of roles and existence of an access control mechanism defined around roles and responsibilities.