Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism for three UK GDPR certification schemes, in the following areas:
- IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
- Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
- Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.
The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”.
What is certification?
Certification is provided for under Article 42 UK GDPR. It offers a way for organisations to demonstrate compliance with data protection rules by meeting the standards set out in the certification scheme. To obtain the certification controllers and processors must make binding and enforceable commitments to the certification bodies. The UK GDPR states that certification is a means to demonstrate appropriate technical and organisational measures, compliance with provisions on data protection by design and default as well as a means to support international transfers of personal data. Scheme criteria can be developed by organisations with expertise in a particular area or it can be more general.
Applying for certification is voluntary. The relevant certification body may charge a fee for conducting audits and testing depending on the size of your organisation An organisation may consider having its processing activities certified to benefit from the advantages of certification, namely:
- To demonstrate compliance with the UK GDPR to the regulator and to business partners;
- To show transparency and accountability;
- To gain the trust and confidence of customers using the organisation’s products, processes and services;
- To achieve a competitive advantage; and
- To improve standards by ensuring the organisation is following the latest best practice.
Data controllers can choose to build a requirement for certification schemes into their vendor specification to ensure their data processors or sub-processors are being measured against ICO-approved criteria.
Certification bodies will keep a publicly available directory of organisations that achieved certification and will publish a summary of the certification criteria, the evaluation methods and the results of tests conducted. Certification is valid for a maximum of three years subject to regular reviews. If the criteria of the certification scheme are no longer met, the certification can be withdrawn. Please see a link here if you would like to register for a certification scheme.
Next steps
The ICO is keen to speak to organisations interested in developing certification schemes. They have published information on how to apply for UK GDPR certification in their guidance, which can be found here. It is therefore likely that we will see more certification schemes emerging in the coming months.