Certification

At a glance

• Member states, supervisory authorities (such as the ICO), the European Data Protection Board (EDPB) and the Commission will promote certification.
• Certification schemes will be a way to comply with the GDPR and enhance your transparency.
• Certification schemes should reflect the needs of micro, small and medium sized enterprises.
• Certification schemes under GDPR will be approved by the ICO and delivered by approved third party assessors.
• Signing up to a certification scheme is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it. It can help you demonstrate compliance to the regulator, the public and in your business to business relationships.

In brief

• Who is responsible for certification?
• What is the purpose of certification?
• Why should we apply for certification of our processing?
• What are the practical implications for us?

Who is responsible for certification?

Member states, supervisory authorities (such as the ICO), the European Data Protection Board (EDPB) and the Commission will promote certification as a means to enhance transparency and compliance with the Regulation.

In the UK the certification framework will involve:

• the ICO publishing accreditation requirements for certification bodies to meet;
• the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
• the ICO approving and publishing certification criteria for certification schemes;
• accredited certification bodies (third party assessors) issuing certification; and
• controllers and processors applying for certification and using certifications.

The ICO has no plans to accredit certification bodies or carry out certification at this time, although the GDPR does allow this.

Currently there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates. Once the certification bodies have been accredited to issue GDPR certificates, you will find this information on ICO’s and UKAS’s websites.

Across EU member states, the EDPB will collate all EU certification schemes in a public register. There is also scope for a European Data Protection Seal.

What is the purpose of certification?

Certification is a way of demonstrating that your processing of personal data complies with the GDPR requirements, in line with the accountability principle. It could help you demonstrate to the ICO that you have a systematic and comprehensive approach to compliance. Certification can also help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product or service.

The GDPR says that certification is also a means to:

• demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
• demonstrate that you have appropriate technical and organisational measures to ensure data security (Article 32 (3)); and
• to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).

Why should we apply for certification of our processing?

Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it as a way of demonstrating that you comply with the GDPR.

Obtaining certification for your processing can help you to:

• be more transparent and accountable - enabling businesses or individuals to distinguish which processing activities, products and  services meet GDPR data protection requirements and they can trust with their personal data;
• have a competitive advantage;
• create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
• improve standards by establishing best practice;
• help with international transfers; and
• mitigate against enforcement action.

What are the practical implications for us?

• As a controller or processor, you could obtain certification for your processing operations, products and services. Certification bodies will act as independent assessors, providing an external steer and expertise in data protection. You will need to provide them with all the necessary information and access to your processing activities to enable them to conduct the certification procedure.
• Certification is valid for a maximum of three years, subject to periodic reviews. These independent reviews provide assurance that the certification can be trusted. However, certifications can be withdrawn if you no longer meet the requirements of the certification, and the certification body will notify us of this.
• Your customers can view your certification in a public register of certificates issued by certification bodies.
• Certification can help you demonstrate compliance, but does not reduce your data protection responsibilities. Whilst certification will be considered as a mitigating factor when the ICO is considering imposing a fine, non- compliance with a certification scheme can also be a reason for issuing a fine.
• When contracting work to third parties, you may wish to consider whether they hold a GDPR certificate for their processing operations, as part of meeting your due diligence requirements under the GDPR.