What is your definition of a digital service?
The Digital Trust Label denotes the trustworthiness of a digital service. Our definition of digital service is aligned with the official definition by the European Commission. Digital services include a large category of online services, from simple websites to internet infrastructure services and online platforms. Digital services come in many forms and are omnipresent. We are expecting certifiable services in three categories:
- Low complexity services (e.g. newsletter subscription)
- Medium complexity services (e.g. instant messaging apps)
- High complexity services (e.g. Blockchain infrastructure and banking services)
It does not make sense to label every digital service, but especially applications where sensitive data are shared and/or a decision is taken by an algorithm.
Will the label become obsolete once new regulations are being introduced on the European Level?
The Digital Trust Label clearly signals to users that the provider of the certified digital service is willing “to go the extra mile”, going beyond what is legally required. As such, the label will not necessarily be made obsolete by new regulations but it will probably mean significant changes to the label over time. Of course, SDI very much welcomes a standardized approach that regulates digital services and increases transparency and trust for the consumers. Until a standardized legislation is in place, we believe that the Label can serve this important cause as a soft-law instrument and we look forward to working together with other initiatives to advance digital trust.
How did you end up with the label catalogue criteria? Do you plan on further developing the catalogue criteria?
- A high-level Label Expert Committee has been responsible for defining the label catalogue criteria and two public consultation processes have given all interested stakeholders the possibility to give feedback and inputs in defining “trustworthy digital services”.
- Currently, our 35 defined label criteria are spread across four categories (Security, Data Protection, Reliability and Fair User Interaction). Adjustments or additions to the categories and/or criteria are possible as the label develops. We are keen to provide a challenging criteria catalogue t. The label must carry a strong purpose; however, we also need to consider the trade-off between developing a challenging label and making it practical and affordable enough for companies to conduct an audit.
- The label is understood as an ongoing and collaborative effort for strengthening transparency, trustworthiness and understandability of digital applications.
- The release of the first version is a starting point and the Label needs to continuously develop.
Why do you focus on four criteria dimensions instead of doing one thoroughly? Is it even doable to audit this complex and diverse number of criteria?
- The criteria catalog and the dimensions of the label are based on various studies and the work of a the Label Expert Committee.
- We conducted research on the factors determining digital trust (- all results published here) – showed that the four categories strike a balance between.
- Drawing from these findings, we decided for a holistic approach for the label criteria. Four key dimensions constitute the core of the label criteria. The operationalisation of the core principles is done through precise technical, legal or administrative specifications that can be externally verified.
- The catalogue is built on existing standards, such as ISO 27001 (information security management system), ISO 22301 (business continuity management system) and GDPR (European data protection legislation). It does not cover the P-D-C-A system, but all topics directly related to the security of the product
What happens when digital service providers are violating the label, can this be reported to the SDI?
We are looking to involve an independent Ombudsperson who will be in charge of taking on any potential violations and examine them on a case by case basis in the future. Until then, we are taking any feedback and potential violations via the contact form.
What is the role of SDI in the auditing process?
SDI is the label owner, hence defines the label criteria and steps to obtaining the label and makes the final label award decision. The main interaction throughout the label process will be with SDI and the auditor. Once the audit report of the candidate company has been received, independent experts will conduct the technical review to grant the label certificate. SDI has decided to conduct the technical review to provide an additional layer of trustworthiness to the auditing process to underline the credibility of the label
What happens if not all criteria is applicable for a digital service?
Not all of the label criteria may be applicable depending on the digital service to be audited. In such cases, the auditor will evaluate and discuss the list of applicable criteria with the organization directly. If a majority of the label criteria are not applicable to the digital service to be audited, the label may be deemed unsuitable for that digital service. In this case, SDI has the right to discontinue with the auditing process to safeguard the credibility and standard of the label.