Despite being three years old, the GDPR is still a work in progress. The process to allow the creation of certification mechanisms under Article 42 came about in 2020 when the EDPB published approval procedures. The announcement gave new hope to organisations as it set out the process allowing certification bodies to submit schemes for approval. Certification is important because it enables organisations to assess their vendor's partner choices alongside their own. The question for certification is when rather than how.