Geneva: If a product or company has an International Organisation of Standardisation (ISO) mark, then one is assured that it meets the basic requirements of quality, reliability and safety.
But what about the firms that operate in the digital space and use your personal data?
A Swiss non-profit organisation, Swiss Digital Initiative (SDI), has worked out an answer.
SDI has launched a ‘Digital Trust’ label for online services where every company providing such service is scrutinised for 35 criteria across four categories — security, data protection, reliability and user interaction — before it gets the certification mark.
“The lack of trust in the digital space is actually hampering the digital environment and users do care about the practises of companies, and how companies use their data,” Diana Kaliff, Digital Trust Label lead at SDI, told a group of Indian reporters and think-tanks in Geneva Tuesday.
“Companies can also do more in building trustworthiness on how they handle users’ personal data,” she added.
SDI launched the label in Switzerland in 2022, and wants to extend it to the international market.
“We started in Switzerland and have now expanded to Germany, but there’s no reason why we can’t do it in India or other countries,” Kaliff said. “Some of the services that we have labelled, such as Cisco Webex, apply globally,” she added.
Also read: UPI to Aadhaar, Modi govt showcases ‘India Stack’ of digital goodies for global adoption
The certification method
Companies such as Switzerland-based mobile and internet services firm Swisscom, Credit Suisse, Cisco Webex, PeopleWeek (an international human resources and collaboration software company), and Wefox (a Berlin-based digital insurance provider) have got the Digital Trust label so far, Kaliff said.
Organisations that have committed to get the label in 2023 include UNICEF, UBS (Switzerland-based multinational investment bank and financial services company), One Log (a joint login service for a federation of the largest Swiss media companies and publishing houses), Swiss supermarket firm Coop and Swiss wealth management group Julius Baer.
Each of the 35 criteria looked at for certification has detailed specifics. Once a company agrees to undergo the certification process, a third-party auditor sits down with the company to see if it meets the criteria.
The third-party auditor submits the audit report to SDI, after which an internal certification committee of the SDI conducts a second-level check, seeking clarifications from the auditor as needed. It is only after this that the candidate receives the ‘Digital Trust’ label, according to information from the SDI.
“We have developed the criteria partly based on requirements listed under the ISO and partly under the General Data Protection Regulation (an EU law). The companies have to pay a small fee to the auditors as honorarium for their time,” Kaliff said, adding that SDI has had cases where the companies scrutinised weren’t found to be compliant with the requirements and did not get the label.
Once awarded, the label is valid for three years and there is a quality check after the second and third year to see if the company is still compliant with the standards.
Once received, the company can use the ‘Digital Trust’ label in all its communication, such as website, letterheads and annual reports.
‘Label gives business advantage to companies’
According to SDI managing director Fathi Derder, many companies have taken the initiative to get labelled because their rigorous audit and certification improve their market position.
“The smaller companies that have got labelled are actually treating the criteria as a framework to guide them,” he said.
Derder believes expanding the label to other countries will not be difficult. “This isn’t a legal certification. It is an ethical certification and ethics are universal,” he said.
SDI acknowledges efforts by other entities to develop similar labels, but maintains that ‘Digital Trust’ is the first one to be launched and has very high standards for scrutiny.
As part of the 35 criteria, the SDI inspects whether there is secure communication, data transmission and storage, secure user authentication, efficient monitoring and reporting of any breaches, user consent for everything, accountability, non-discriminating access, and so on.
With digital service providers often known to sell data to third parties for a fee, under the Digital Trust label they will be required to be transparent about it.
“We say you can use data for marketing purposes or analyses, but consumers giving their data have to be transparently informed about this. The organisation has to display what third party they are using to store or share data with,” Kaliff said.
Disclaimer: The author is part of a delegation of journalists and think-tanks being hosted by the Swiss government.
(Edited by Nida Fatima Siddiqui)
Also read: Big isn’t always bad—why India mustn’t blindly copy EU’s Digital Markets Act