Certification FAQs
Latest updates - 13 February 2026
13 February 2026 - This guidance has been updated to reflect changes to UK GDPR due to the Data (Use and Access) Act coming into law on 19 June 2025.
Here are some frequently asked questions relating to our guidance on Certification schemes in the Guide to the UK GDPR.
Frequently asked questions
- Is UK GDPR certification the same as the certificate issued by the ICO when we pay our data protection fee?
- How can we apply for UK GDPR certification?
- We already have data protection certification – what’s the difference between this and a UK GDPR scheme?
- Is the ICO going to produce a UK GDPR certification scheme?
- Who can develop UK GDPR certification schemes?
- Will UK GDPR certification schemes replace existing standards, for example ISO standards?
- We are already certified for ISO 27001 - can this count towards a UK GDPR certification?
- We currently provide a UK GDPR assessment product or data protection certification to organisations. Can we get this approved as a UK GDPR certification scheme?
- How will the ICO assess and approve certification criteria?
- How many certification schemes will there be?
- We are a UKAS-accredited certification body – are there any approved schemes that we can certify against?
- How can we become a certification body?
Is UK GDPR certification the same as the certificate issued by the ICO when we pay our data protection fee?
UK GDPR certification is different to the confirmation you receive when registering with the ICO as a data controller and paying your fee.
The Data Protection (Charges and Information) (Amendment) Regulations 2025 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt. The ICO keeps a register of data controllers that have registered with us.
More information about data protection fees can be found on our website.
The data protection fee team deal with enquiries in relation to this. You can contact them by emailing [email protected] or calling our helpline on 0303 123 1113.
How can we apply for UK GDPR certification?
Please see the detailed guidance to find out more about applying for certification.
We already have data protection certification – what’s the difference between this and a UK GDPR scheme?
Some companies offer non-accredited, non-ICO approved data protection certification. Whilst these certifications may have some value, if the schemes have not been developed in line with the requirements of Article 42 of the UK GDPR, and approved by the ICO, they will not provide the same level of assurance that an organisation’s processing of personal data complies with the law.
All UK GDPR certification schemes are approved by the ICO the details are published on our website.
Is the ICO going to produce a UK GDPR certification scheme?
It is possible for the ICO to create its own certification scheme and, whilst we have no specific scheme under development at present, we may consider doing so in future.
Who can develop UK GDPR certification schemes?
Scheme owners could be existing standards or certification bodies with knowledge of accredited certification. However, this does not exclude others from developing schemes, and any organisation with sufficient data protection knowledge in their industry can develop UK GDPR certification schemes in response to market needs.
Will UK GDPR certification schemes replace existing standards, for example ISO standards?
UK GDPR certification schemes are not intended to replace existing standards or schemes. This would only happen if the scheme or standard owner developed their existing mechanism to become a UK GDPR certification scheme. We anticipate that there could be different certification schemes designed to address different areas of compliance, developed by different organisations.
We are already certified for ISO 27001 - can this count towards a UK GDPR certification?
Certification scheme criteria should be interoperable with other standards. This means that other standards should be taken into account where they might apply to the processing operations being certified. Existing certification could be considered as evidence when undergoing an assessment for a new certification.
However, existing data protection standards such as, ISO 27001, ISO 27701, and BS10012, are personal information management systems, which focus on policies and procedures. Whilst having policies and procedures in place is important, it is vital that they are implemented effectively. UK GDPR certification focusses more on whether an organisation’s processing of personal data complies with data protection law.
We currently provide a UK GDPR assessment product or data protection certification to organisations. Can we get this approved as an ICO-approved UK GDPR certification scheme?
It may be possible to adapt an existing standard or product for a UK GPDR certification scheme. However, UK GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of the specific processing operations. Therefore, the certification will cover a specific personal data processing operation or set of operations carried out by a controller or processor. For example, a bank may apply to have its online banking certified as being compliant with appropriate scheme criteria.
The certification can be for a product or service but not normally the entire organisation’s processing.
If you are interested in developing a UK GDPR certification scheme then see our detailed guidance about what your certification scheme criteria will need to contain and to what extent your existing product meets those requirements.
How will the ICO assess and approve certification criteria?
Our detailed certification guidance outlines how the ICO assess and approve certification criteria.
How many certification schemes will there be?
In theory, there’s no limit to how many certification schemes we can approve, as long as they meet the necessary requirements and there is a clear market need for them. It is up to certification scheme owners to demonstrate this as part of their proposal.
A certification scheme can define its scope either generally or in relation to a specific type or area of processing. This means there could be several different schemes that apply to a variety of processing operations. For example, we have approved schemes for age assurance, age appropriate design, IT asset disposal, legal services, and training and qualification services.
We are a UKAS-accredited certification body – are there any approved schemes that we can operate?
All the certification schemes we have approved are published in the Register of Certification Scheme criteria. If you are interested in operating as a certification body for one of these schemes, please contact the scheme owner listed in the register.
How can we become a certification body?
Please see our detailed guidance for information on becoming a certification body.