- What are certification schemes?
- What can a UK GDPR scheme be about?
- Why does the ICO consider market demand?
- How should we evidence market demand?
- How will the ICO assess market demand?
- What can be certified?
- What are the requirements for UK GDPR certification criteria?
- Do we need to describe the evaluation methods?
- Does the scheme include the use of a seal or mark?
- How should we test our scheme?
- How can the ICO help?
- What documents do we need to submit to the ICO?
- How will the ICO assess the scheme criteria?
- How will people know our criteria have been approved?
- How do certification schemes work as an international transfer tool?
Certification schemes consist of two key elements:
- The criteria outlining specific data protection requirements. These form the ‘standard’ against which the conformity of a product or service is assessed.
- The audit methodology and testing methods that are used by the certification body to carry out that assessment.
UK GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of the specific processing operations and how personal data is actually processed. The certification covers a specific/discrete personal data processing operation(s) that forms a product, process or service offered by the controller or processor rather than the whole organisation. For example, a bank may apply to have its online banking certified as being compliant with an appropriate scheme’s criteria.
For personal data, ‘processing’ means any operation(s), which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
For UK GDPR certification, the ICO is only required to assess the criteria outlining specific data protection requirements. Depending on the nature of your organisation, you may wish to develop only the criteria or a complete scheme. The full scheme including the audit and testing methodology is assessed by UKAS as part of the accreditation process.
The Guide to UK GDPR certification page contains links to EDPB guidelines on certification and accreditation. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, our requirements were based on these guidelines so they may still provide helpful guidance when developing certification criteria.
A key consideration in determining what a UK GDPR certification scheme can be about (the scope) is how it will benefit your target market and the individuals who use the product or services being certified. It should explain how the UK GDPR can be practically applied to a specific processing activity. It should also allow data subjects to easily assess the level of data protection of the products, processes and services offered by controllers and processors.
The scope of a scheme can be specific or more general. A specific scheme might only be aimed at a particular sector for a specific type of product or service, for example online banking portals, and the criteria will specifically relate to the processing operations commonly found in such portals.
A general scheme that aims to cover all aspects of UK GDPR and can be applied to any processing activity will still need to be granular enough to provide robust and meaningful certification.
You could consider having a general scheme (covering all aspects of UK GDPR) but with limited application, for example only applying to third party payroll services.
Alternatively, the scope of the scheme could be focused on only one area of the UK GDPR, for example, transparency or automated decision making.
To help you decide you should consider:
- any general/sectoral/industry data processing issues you might want to address through your scheme. You should carry out research and consultation within your proposed target market to ensure that your scheme meets a need and will have market viability;
- where is there a need for enhanced trust;
- how a particular processing activity impacts data subjects and how the proposed criteria or scheme would help them;
- how will the scheme documentation (including any logo, seal or mark) ensure that people can easily and immediately understand what is being certified and what that means for them;
- what schemes are already available; and
- the name of the scheme – does it accurately reflect the scope, and will it be understandable to users?
The ICO considers market demand because your scheme needs to meet an identified data protection need or desire. Data protection schemes need a clear purpose and must offer benefits and enhanced protections to the people whose data you are processing.
We want to ensure that the scheme criteria we approve cover a wide range of different processing activities. We want to cover areas which could benefit from certification due to clearly identified market, legislative or consumer demand.
This approach also supports subsequent scheme take-up by organisations, and is the most effective use of our resources to assess and approve scheme criteria.
You should provide evidence in your application to show the market, consumer or legislative demand for your certification scheme. You should also highlight the benefits for people, data controllers and processors.
Your considerations could include, but are not limited to:
- Evidence of demand or market support from potential end-users and consumers
This could include a consultation or engagement with identified scheme end-users, ie potential certified organisations, the public, industry bodies, consumer representative bodies or certification bodies.
- Awareness of existing UK GDPR certification schemes
Evidence of benchmarking your scheme against existing schemes. In particular, if similar scheme criteria are already approved and published on the ICO website, you should demonstrate the ‘added value’ or unique demand that your scheme criteria meets.
- Market and industry knowledge
Evidence of relevant economic, social, technological, legal, regulatory or other factors which may drive the demand for your certification scheme’s development.
- Business case considerations
Evidence to support the considerations of commercial viability. This could include financial planning projections or an implementation or delivery strategy for the proposed scheme.
- Regulatory priorities and prevention of harm
Demonstrate that the criteria support or are based on existing regulatory priorities, data protection guidance, ICO codes of practice, government priorities or any other public or consumer interest issues. These should be appropriate to data protection and, in particular, the prevention of harm to the public.
Under Article 42 UK GDPR, we must encourage the uptake of data protection certification.
The Office for Product Safety and Standards (OPSS) guidance on conformity assessment and accreditation states that:
“Conformity assessment schemes should be driven by market demand including demand from end-users and consumers ….conformity assessment should be a free-market, competitive activity”.
Our application form for an organisation’s formal submission of scheme criteria lists several considerations that scheme authors need to show evidence of in their scheme. These include:
- the background and motivation for the proposed scheme or criteria;
- how the criteria are likely to improve data protection compliance of controllers and processors;
- identification of the intended target market;
- identification of market, consumer or regulatory demand or support for the scheme and its viability;
- what clear ‘added value’ the proposed scheme criteria provide if it is similar to other existing ICO approved and published scheme criteria; and
- identification of potential certification bodies, or interest by certification bodies, to deliver the scheme.
We always assess proposed scheme criteria on a case-by-case basis. We assess in accordance with the legislation and our published requirements for certification criteria.
UK GDPR certification can only be applied to processing activity contained within a specific product, process or service offered by a controller or processor. Therefore, when developing scheme criteria, you should consider what possible processing operations might be covered under the scope of the scheme and how this might shape the scheme criteria.
You may consider excluding certain types of processing from the scope depending on the nature of the scheme. For example, if the scheme is called “Health Privacy Mark”, any processing that is not health data is out of scope and this should be stated in the scheme documentation.
The criteria should require the controller or processor to make clear where the processing that is subject to evaluation starts and ends, so that the intended audience, including data subjects, understand what exactly is being certified and what that certification means. This is referred to as the ‘object of certification’ or ‘target of evaluation’.
Certification criteria must provide common, specific and practical applications of UK GDPR principles and rules. In order to provide adequate assurance, the criteria must provide a standard for best practice in data protection – not merely restate the UK GDPR.
Corresponding implementation guidance should provide examples of technical and organisational measures that organisations could implement in order to meet the standard.
You need to make sure that the criteria relate to and are directed at the processing operations that you intend to be certified. Criteria for an information management system may make up part of the scheme but cannot be the sole focus of it, therefore you might include a section that covers information governance requirements.
To make it easier for the scheme to be assessed, you should consider the layout of your scheme documents from the start.
The document outlining the criteria must contain, as a minimum, the following sections:
- Introduction including background and motivation for the scheme, including how the criteria will improve data protection compliance and benefit data subjects.
- Scope of certification mechanism.
- Target of evaluation (ToE) – describing how to define the processing operations to be certified.
- Normative references.
- Terms & Definitions.
- Criteria addressing:
(a) lawfulness of processing (Art 6-10)
(b) principles of data processing (Art 5)
(c) general obligations of controllers and processors (Chapter IV)
(d) data subjects’ rights (Art 12-23)
(e) obligation to notify data breaches (Art 33-34)
(f) obligation of DP by design and default (Art 25)
(g) assessment of risks to rights and freedoms of individuals including completion of DPIA where required (Art35(7)(d))
(h) technical and organisational measures guaranteeing protection in line with above
(i) technical and organisational measures to ensure appropriate level of security (Art 32)
(j) other privacy enhancing techniques;
(k) international transfers (Art 44-49); and
(l) requirements for effective information governance, including: leadership and oversight; policies and procedures; training and awareness; records of processing; assessing privacy risks and DPIAs; internal audit and continual improvement.
You should include an explanation for each criterion (where necessary), implementation guidance and examples of how to demonstrate compliance. How compliance is tested will be considered fully as part of the accreditation process for certification bodies and the certification process for controllers and processors.
Certification scheme criteria must be:
- auditable (ie specify clearly defined, measurable objectives);
- relevant to the processing and target audience;
- inter-operable with other standards, for example ISO standards; and
- scalable for application to different size or type of processing/organisations.
If you are a certification body (or seeking accreditation as one) developing a complete certification scheme rather than just the criteria, then you also need to develop a separate document outlining the methods for evaluation and testing conformity against the certification criteria.
The nature of the evaluation should consider the scope of the scheme and the potential processing operations it may be applied to, as this will have an impact on the significance and value of the certification. For example, reducing the extent of evaluation for practical purposes or to reduce costs, will reduce the significance of the certification.
If you have only developed the criteria or standard, you may still need to consider providing guidance for certification bodies who will carry out conformity assessment activities against those criteria. This guidance may outline specific requirements (where specific requirements exist) taking into account the potential target of evaluation. For example, it may include requirements for audit and testing methodology, and expertise of certification body personnel carrying out the assessment.
If the scheme includes a seal or mark that can be used by the controller or processor to signify successful completion of the certification procedure, then you need to demonstrate that you have protected those marks and laid down rules for their use.
The design of the mark or seal should help the public understand the meaning of the certification where possible. For example, a ‘Health Privacy Mark’ would indicate to the public that the certification is about enhanced privacy of their health information.
You should test your scheme with a number of volunteer organisations. This will help ensure that the scheme is fit for purpose.
If you are not proposing to deliver the scheme yourself, you may want to contact prospective certification bodies who can help you test your scheme.
We appreciate that developing a certification scheme can be a complex process, so we welcome informal discussions with organisations as part of their development phase.
This should ensure that scheme criteria are developed in line with the relevant guidelines and requirements.
You can contact us at [email protected].
You need to provide:
- a fully completed application form;
- a ‘Criteria catalogue’ or ‘Standard’ outlining the criteria and containing the sections outlined above;
- guidance for certification bodies who will be carrying out conformity assessment activities. This may outline the required conformity assessment methodology and any other specific requirements as described above;
- a use case (actual or theoretical worked example) to demonstrate how the certification criteria could be applied in practice;
- details of any consultation you have carried out during the development of your certification criteria or scheme; and
- results of any testing carried out.
When you submit the scheme criteria, we will perform initial triage of the documentation to determine if it satisfies the following:
- It contains company details and point of contact (including company registration number).
- It is laid out in a logical and understandable way, using appropriate language and numbered clauses.
- The scope is clearly defined, meaningful and not misleading.
- The scope includes all relevant aspects of processing to be addressed by the scheme.
- It allows meaningful data protection certification, taking into account the nature, content, risk and scope of processing.
- The territorial scope is defined.
- The criteria sufficiently describe how the object of certification/ target of evaluation (ToE) should be defined by the controller/processor.
- The criteria guarantee that the resulting certification will be understandable to the intended audience, including data subjects.
- It includes a case study of how the criteria could be applied to enable understanding of how the criteria can be applied in real-life situations.
- The relevant terms are defined, and normative references identified.
- The criteria cover all aspects of the processing and procedures covered by the scope.
- It appears to cover all relevant sections of UK GDPR that relate to the scope, for example principles, rights, lawful basis, data protection by design and default, requirement to assess risks to rights and freedoms of individuals.
- It identifies a clear market need and has considered the commercial viability of the scheme.
UKAS will also assess the proposed scheme criteria to ensure that they are suitable for accreditation (ie the UK GDPR certification criteria in the scheme are fit for purpose, measurable, deliver the right outcomes and has been established in consultation with relevant stakeholders).
If the scheme criteria meet the above requirements, we will then carry out a full assessment to look at how effectively the criteria practically apply UK GDPR. This may include the scheme owner meeting with the ICO to discuss the scheme criteria in more detail.
Ultimately, the ICO will approve criteria based on how well they are likely to improve data protection compliance of controllers and processors and benefit the information rights of data subjects.
Once any required changes are made and the criteria meet the full requirements enabling controllers and processors to demonstrate compliance with the UK GDPR then we will grant approval.
Once the criteria are finalised the details are published on our website.
Please note it is a requirement for scheme criteria to be made publicly available.
We recognise that the use of certification schemes as an international transfer tool are a new mechanism and we are committed to supporting their development. If you want to speak to us about establishing a certification scheme for the transfer of personal data to a third country or international organisation please contact us at [email protected].