Here are some frequently asked questions relating to our guidance on Certification schemes in the Guide to the GDPR.

Frequently asked questions

How can we apply for GDPR certification?

Currently there are no ICO-approved GDPR certification schemes in operation.

GDPR certification will be issued by UKAS accredited certification bodies against ICO approved certification scheme criteria. To obtain certification you will need to apply to the appropriate certification body.

The most up to date information regarding certification is available on the certification section of our website. This guidance also contains links to the guidelines issued by the European Data Protection Board on which certification and accreditation requirements will be based and an indication of the possible timelines.

We will publish information on the website once certification schemes have been approved.

We already have data protection certification – what’s the difference between this and a GDPR scheme?

A number of companies already offer data protection certification. Whilst they may have some value, they have not been developed in line with the requirements of Article 42 of the GDPR nor the supporting EDPB guidelines and do not therefore provide any formal certification of an organisation’s processing of personal data.

Once GDPR certification schemes have been approved by the ICO we will publish this information on our website.

Is the ICO going to produce a GDPR certification scheme?

The GDPR states that the ICO could create its own certification scheme and, whilst we have no specific scheme under development at present, we may consider doing so in future. Our focus at this stage is ensuring that we and UKAS have the processes and systems in place to facilitate GDPR certification.

Who can develop GDPR certification schemes?

We expect that existing standards and certification bodies will develop GDPR certification schemes in response to market needs. However, this does not exclude others from also developing schemes.

Will GDPR certification schemes replace existing standards, for example ISO standards?

GDPR certification schemes are not intended to replace existing standards or schemes. This would only happen if the scheme or standard owner developed their existing mechanism to become a GDPR certification scheme. We anticipate that there could be different certification schemes designed to address different areas of compliance, developed by different organisations.

We are already certified for ISO 27001 - can this count towards a GDPR certification?

EDPB guidelines advise that certification scheme criteria should be ‘interoperable with other standards’. This means that other standards should be taken into account where they might apply to the processing operations being certified. Therefore, existing certification may be taken into account when undergoing an assessment for a new certification.

Is GDPR certification the same as the certificate issued by the ICO when we pay our data protection fee?

GDPR certification is different to the confirmation you receive when registering with the ICO as a data controller and paying your fee.

From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt. The ICO keeps a register of data controllers that have registered with us.

More information about data protection fees can be found on our website.

The data protection fee team deal with enquiries in relation to this. You can contact them by emailing dataprotectionfee@ico.org.uk or calling our helpline on 0303 123 1113.

We currently provide a GDPR assessment product or data protection certification to organisations. Can we get this approved as an ICO-approved GDPR certification scheme?

The certification pages of our website contain links to the accreditation and certification guidelines issued by the European Data Protection Board which contains the certification annex on which certification criteria will be based. Any existing or proposed certification scheme would need to follow these guidelines in order to be approved as a GDPR certification scheme.

GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of the specific processing operations. Therefore the certification will cover a specific personal data processing operation or set of operations carried out by a controller or processor. For example, a bank may apply to have its online banking certified as being compliant with an appropriate scheme criteria.

The certification can be for a service but not normally the entire organisation.

If you are interested in developing a GDPR certification scheme then the EDPB guidelines referred to above should help you determine what your certification scheme criteria will need to contain and to what extent your existing product meets those requirements.

Details of how to submit GDPR certification criteria to the ICO for approval will be provided later this year once the EDPB guidelines have been finalised. The most up to date information regarding certification is available on the certification section of our website alongside an indication of possible timelines.

How will the ICO assess and approve certification criteria?

The certification pages of our website contain links to the accreditation and certification guidelines issued by the European Data Protection Board which contains the certification annex on which certification criteria will be based. Any existing or proposed certification scheme would need to follow these guidelines in order to be approved as a GDPR certification scheme.

We are in the process of developing our certification scheme approval processes and hope to have more information available shortly.

How many certification schemes will there be?

EDPB guidelines have been finalised and we are at the early stages of developing our processes around certification. We don’t know at this point how many schemes may be submitted to us for approval.

A certification scheme can define its scope either generally or in relation to a specific type or area of processing. This means there could potentially be a number of different schemes that would apply to a variety of processing operations. There is in theory no limit to the number of potential schemes as long as they meet the necessary requirements and there is a clear need for their existence. It will be up to certification scheme owners to establish and explain this as part of the submission process.

As outlined in the certification guidance on our website, the UK GDPR certification framework will involve the ICO approving certification scheme criteria and UKAS accrediting certification bodies to deliver those schemes.

We are a UKAS-accredited certification body – are there any approved schemes that we can certify against?

Currently there are no ICO-approved GDPR certification schemes. We are in the process of developing our certification scheme approval processes and hope to have more information available shortly. The most up to date information is available on the certification section of our website including an indication of possible timelines.

How can we become a certification body?

UKAS will accredit certification bodies against ISO 17065 and additional ICO accreditation requirements once they are in a position to do so.

UKAS are the UK’s national accreditation body and already carry out this role for existing standards such as ISO 27001. UKAS will check both the organisation and the certification scheme as part of the accreditation process.

Organisations wishing to become certification bodies for ICO-approved GDPR schemes will need to go through an accreditation process against the standards outlined in ISO 17065 and the additional requirements outlined in Annex 1 of the EDPB accreditation guidelines. This process can take from six-18 months depending on the nature of the organisation and the complexity of the certification scheme they wish to deliver. UKAS charge a fee for accreditation. More information about the accreditation process and potential costs can be found on the UKAS website.