Certification is a way for an organisation to demonstrate compliance with GDPR. Certification scheme criteria will be approved by the ICO and can cover a specific issue or be more general. Once an accredited certification body has assessed and approved an organisation, it will issue them with a certificate, and a seal or mark relevant to that scheme.
At a glance
- Certification is a way to demonstrate your compliance with the GDPR and enhance transparency.
- Certification criteria should reflect the needs of small and medium sized enterprises.
- Certification criteria are approved by the ICO and certification issued by accredited certification bodies.
- Certification will be issued to data controllers and data processors in relation to specific processing activities.
- Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.
What is the purpose of certification?
Certification is a way of demonstrating that your processing of personal data complies with the GDPR requirements, in line with the accountability principle. Certification can help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product, process or service, which provides transparency both for data subjects and in business to business relationships.
The GDPR says that certification is also a means to:
- demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
- demonstrate that you have appropriate technical and organisational measures to ensure data security (Article 32(3)); and
- to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).
Who is responsible for certification?
Member states, supervisory authorities (such as the ICO), the European Data Protection Board (EDPB) and the Commission will encourage the use of data protection certification mechanisms as a means to enhance transparency and compliance with the GDPR.
In the UK the certification framework will involve:
- us publishing accreditation requirements for certification bodies to meet;
- the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
- us approving and publishing certification criteria;
- accredited certification bodies issuing certification against those criteria; and
- controllers and processors applying for certification and using it to demonstrate compliance.
Across EU member states, the EDPB will collate all EU certification schemes in a public register. There is also scope for a European Data Protection Seal where scheme criteria are approved by EDPB for use in all member states.
What can be certified?
The scope of a certification scheme could be quite general and be applied to a variety of different products, processes or services; or it could be specific, for example, secure storage and protection of personal data contained within a digital vault.
Certification will relate to a specific personal data processing operations that take place in a product, process or service offered by a controller or processor. Those processing operations will be assessed against the certification criteria by the accredited certification body.
Certification can only be issued to data controllers and processors and cannot therefore be used to certify individuals, for example data protection officers.
Article 42(2) also allows for the use of certification schemes for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to GDPR for international transfers of personal data.
What must certification scheme criteria contain?
Certification criteria must be:
- derived from GDPR principles and rules, as relevant to the scope of certification, ie:
- lawfulness of processing (Art 6)
- principles of data processing (Art 5)
- data subjects’ rights (Art 12-23)
- obligation to notify data breaches (Art 33)
- obligation of DP by design and default (Art 25)
- whether a DPIA has been completed where required (Art35(7)(d)
- technical and organisational measures put in place (Art 32);
- formulated in such a way that they are clear and allow practical application;
- auditable (ie specify objectives and how they can be achieved so as to demonstrate compliance);
- relevant to the target audience;
- inter-operable with other standards, for example ISO standards; and
- scalable for application to different size or type of organisations.
These conditions are outlined in more detail in EDPB ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’ and our detailed guidance.
Once your organisation has been successfully assessed by the accredited certification body, you will be issued with a data protection certificate, seal or mark relevant to that scheme.
Why should we apply for certification of our processing?
Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it as a way of demonstrating that you comply with the GDPR.
Certification provides a framework for you to follow, thereby helping ensure compliance and offering assurance that specific standards are being adhered to, for example in a processor to controller relationship.
Obtaining certification for your processing can also help you to:
- be more transparent and accountable – enabling businesses or individuals to distinguish which processing activities, operations and services meet GDPR data protection requirements and they can trust with their personal data;
- have a competitive advantage;
- create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
- improve standards by establishing best practice;
- help with international transfers; and
- mitigate against enforcement action.
What are the practical implications for us?
- As a controller or processor, you could obtain certification for your processing operations, and services. Certification bodies will use independent assessors, giving an independent expert view on whether you meet the certification criteria. You will need to provide them with all the necessary information and access to your processing activities to enable them to conduct the certification procedure.
- Certification is valid for a maximum of three years, subject to periodic reviews. These independent reviews provide assurance that the certification can be trusted. However, certifications can be withdrawn if you no longer meet the certification criteria, and the certification body will notify us of this.
- Your customers can view your certification in a public register of certificates published by certification bodies.
- Certification can help you demonstrate compliance, but does not reduce your wider data protection responsibilities outside the certified processing activity.
- When contracting work to third parties, you may wish to consider whether they hold a GDPR certificate for their processing operations, as part of meeting your due diligence requirements under the GDPR.
What happens next?
At this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. Once the certification bodies have been accredited to issue GDPR certificates, you will find this information on the ICO’s and UKAS’s websites.
ICO additional accreditation requirements were submitted to the EDPB for their opinion and have now been approved. This allows UKAS to accredit certification bodies to deliver GDPR schemes using ICO-approved certification criteria.
The ICO have finalised its submission process for the formal approval of GDPR certification criteria and welcomes enquiries from organisations who are in the process of developing or have developed GDPR certification criteria. You can find out more about this in the detaile guidance.
Here are some frequently asked questions relating to our guidance on Certification schemes in the Guide to the GDPR.
GDPR certification is different to the confirmation you receive when registering with the ICO as a data controller and paying your fee.
From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt. The ICO keeps a register of data controllers that have registered with us.
More information about data protection fees can be found on ICO website.
The data protection fee team deal with enquiries in relation to this. You can contact them by emailing firstname.lastname@example.org or calling our helpline on 0303 123 1113.
Please see the ICO detailed guidance to find out more about applying for certification.
A number of companies already offer data protection certification. Whilst they may have some value, they have not been developed in line with the requirements of Article 42 of the GDPR nor the supporting EDPB guidelines and do not therefore provide any formal certification of an organisation’s processing of personal data.
Once GDPR certification schemes have been approved by the ICO we will publish this information on our website.
The GDPR states that the ICO could create its own certification scheme and, whilst we have no specific scheme under development at present, we may consider doing so in future. Our focus at this stage is ensuring that we and UKAS have the processes and systems in place to facilitate GDPR certification.
The ICO expects that existing standards and certification bodies will develop GDPR certification schemes in response to market needs. However, this does not exclude others from also developing schemes.
GDPR certification schemes are not intended to replace existing standards or schemes. This would only happen if the scheme or standard owner developed their existing mechanism to become a GDPR certification scheme. We anticipate that there could be different certification schemes designed to address different areas of compliance, developed by different organisations.
EDPB guidelines advise that certification scheme criteria should be ‘interoperable with other standards’. This means that other standards should be taken into account where they might apply to the processing operations being certified. Therefore, existing certification may be taken into account when undergoing an assessment for a new certification.
GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of the specific processing operations. Therefore the certification will cover a specific personal data processing operation or set of operations carried out by a controller or processor. For example, a bank may apply to have its online banking certified as being compliant with an appropriate scheme criteria.
The certification can be for a service but not normally the entire organisation.
If you are interested in developing a GDPR certification scheme then see our detailed guidance about what your certification scheme criteria will need to contain and to what extent your existing product meets those requirements.
The certification pages of our website contain links to the accreditation and certification guidelines issued by the European Data Protection Board which contains the certification annex on which certification criteria will be based. Any existing or proposed certification scheme would need to follow these guidelines in order to be approved as a GDPR certification scheme.
We are in the process of developing our certification scheme approval processes and hope to have more information available shortly.
EDPB guidelines have been finalised and we are at the early stages of developing our processes around certification. We don’t know at this point how many schemes may be submitted to us for approval.
A certification scheme can define its scope either generally or in relation to a specific type or area of processing. This means there could potentially be a number of different schemes that would apply to a variety of processing operations. There is in theory no limit to the number of potential schemes as long as they meet the necessary requirements and there is a clear need for their existence. It will be up to certification scheme owners to establish and explain this as part of the submission process.
As outlined in the certification guidance on our website, the UK GDPR certification framework will involve the ICO approving certification scheme criteria and UKAS accrediting certification bodies to deliver those schemes.
Currently there are no ICO-approved GDPR certification schemes. Please keep an eye on our website and the Register of Certification Scheme criteria.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
Certification Guidelines and Annex
The EDPB has published adopted ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’ on 4 June 2019.
Accreditation Guidelines and Annex
EDPB has published adopted Guidelines on the accreditation of certification bodies under Article 43 of the GDPR (2016/679) on 4 June 2019.
Thank you for reading.