At a glance
You can find details of approved certification schemes in the register of certification criteria. If there is a scheme that meets your needs, you should contact the relevant certification body accredited to operate the scheme.
UK GDPR certification will be issued by UKAS accredited certification bodies against ICO approved certification scheme criteria. To obtain certification you need to apply to the certification body delivering that scheme. You can find this information by contacting the scheme owner listed in our register, or visiting the UKAS website.
- What are the requirements?
- What should we consider before applying?
- How much does it cost to be certified?
- How will people know about our certification?
- Will the ICO consider certification as a mitigating factor in an investigation?
If, having considered the benefits and practical implications, your organisation is interested in applying for UK GDPR certification you should:
- Find a scheme – you need to find a scheme that suits your needs for the product or service you want to have certified, and for the nature of your organisation.
- Find a certification body – certification bodies will issue UK GDPR certifications, so you need to apply directly to them. You can find details of which certification bodies are delivering your chosen scheme on the UKAS website.
- UK GDPR certification must be for a specific processing operation or set of operations that make up a product, process or service offered by your organisation. You should decide what product, process or service you offer that you want to have assessed and certified. For example, HR processing, online payments system, marketing services or customer management database.
- You need to map the data processing operations associated with that product or service to establish what processing you need to be assessed. This is called the ‘object of certification’ or ‘target of evaluation’
- During the scheme application process, you are required to tell the certification body if you are subject to any action by the ICO.
- The ICO will confirm where appropriate that this is the case prior to the certification body issuing or renewing certification. If it is discovered that you have not disclosed any action to the certification body, this may result in them not issuing certification.
- Make sure you have paid your data protection fee. From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.
- If your organisation has a personal data breach during the term of your certification, you are required to notify the certification body so they can assess if you still meet the certification criteria.
- Should the ICO become aware of any compliance issues that might affect your certification we may notify the certification body and they will be required to conduct an investigation to assess if you still meet the certification criteria.
- Ultimately, if you no longer meet the criteria, then your certification can be withdrawn.
You should contact the relevant certification body to find out how much it will cost to carry out an assessment of your processing activity. They normally charge a day rate for conducting audits and testing, so the cost will largely depend on the size of your organisation and the scale and complexity of the processing operations they are assessing.
The certification body will issue a certificate to you. It will state what processing is covered by your certification and how long it is valid for.
The certification may allow you to use and display a specific logo, seal or mark to demonstrate that you have achieved certification. What the mark looks like will depend on which scheme you have applied to.
The certification body is required to keep a publicly available directory of organisations that they have certified. This is usually a register where people can search by your certificate number or company name.
They are also required to make publicly available an executive summary of their evaluation report explaining what is being certified, the certification criteria, the evaluation methods and tests conducted and the results.
They will also send this executive summary to the ICO before issuing the certification.
Will the ICO consider certification as a mitigating factor in an investigation?
Yes, in some circumstances. Our regulatory approach encourages and rewards compliance. When considering regulatory action, organisations can expect us to take it into account if they:
- engage with us to resolve issues; and
- can demonstrate strong information rights accountability arrangements.
Certification against a UK GDPR-approved certification scheme, based on approved criteria, demonstrates accountability and compliance with the law for a specific processing activity.
We would likely consider certification as a mitigating factor if you followed the scheme requirements and took all reasonable steps to prevent non-compliance.
However, if you did not follow the requirements, which then caused the compliance issue, we may consider this as an aggravating factor. In this case, the certification body may also suspend or revoke your certification.
UK GDPR certification scheme criteria set requirements for best practice in a particular area. Therefore, meeting these requirements and achieving certification and meeting these requirements should significantly reduce the risk of non-compliance. As a result, this should also significantly reduce the risk of us taking corrective action.
When considering whether or not to take action, we adopt a case-by-case approach. We look at a number of factors, including whether you followed the certification scheme.
Read our Regulatory Action Policy for further information.