The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) has approved the first UK GDPR certification scheme criteria.

Certification was brought in under the UK GDPR as a way to help organisations demonstrate compliance with data protection rules and, in turn inspire trust and confidence in the people who use their products, processes and services.

Certification works by providing a framework for organisations to follow, which offers clients and customers assurance that they are adhering to strong standards. Organisations with expertise in a particular area can develop scheme criteria.

The ICO has approved the criteria for three schemes, which will now be rolled out:

ADISA, experts in IT asset disposal services, have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed.

Age Check Certification Scheme (ACCS) have developed criteria for two schemes, the first relating to age assurance and the second looking at children’s online privacy.

Organisations that achieve the standards set out in these certification schemes can create a competitive advantage and demonstrate that they have the highest level of commitment to data protection compliance to their customers, partners and investors.

Anulka Clarke, Acting Director of Regulatory Assurance of the ICO said:

“This is a significant step forward in enabling organisations to demonstrate their commitment to compliance with UK data protection law. The products and services these criteria cover - age assurance, age appropriate design and asset disposal - are areas where enhanced trust and accountability in how personal data is protected is vital.

“Enabling certification in these areas establishes a binding framework that organisations can sign up to. This will raise the bar of data protection and ensure they are always following the latest good practice in these constantly evolving areas and importantly, they are able to demonstrate that commitment to their clients, suppliers and public.”

Tony Allen, Chief Executive of the Age Check Certification Scheme said:

“We’ve been pleased to work with the ICO, often on a pathfinding mission for this new process, to create the first approved certification schemes and we’re really looking forward to working with the booming identity and age assurance tech industry in the UK and around the world to bring the schemes to life.”

Steve Mellings, Founder of ADISA said:

“Certification schemes can really help data controllers put their trust in a process. We believe that this achievement for the ADISA ICT Asset Recovery Standard 8.0 will make data controllers life much easier as by building it into their vendor specification, they can be assured that their data processors or sub-processors are being measured against criteria which have been approved by the ICO.”

The ICO is keen to talk to and advise organisations interested in developing certification schemes. For more information see ICO guidance on certification.

Notes to editors

  • The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  • The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  • Certification is a provision under Article 42 UK GDPR. It is based on data protection law and international standards for certification of products, services and processes and has been developed in partnership with UKAS the United Kingdom’s national accreditation body.
  • The ICO approves certification scheme criteria. UKAS accredited certification bodies then deliver those schemes.