Certification is a way for an organisation to demonstrate compliance with GDPR. The certification scheme criteria will be approved by the ICO and can cover a specific issue or be more general. Once an accredited certification body has assessed and approved an organisation, it will issue the data protection certificate, seal or mark relevant to that scheme.

The submission process for certification schemes will open once the EDPB guidelines are finalised. In the meantime, we welcome enquiries from organisations who are in the process of developing or have developed GDPR certification schemes. You can find our contact details here: certification@ico.org.uk.

At a glance

  • Certification schemes will be a way to demonstrate your compliance with the GDPR and enhance transparency.
  • Certification schemes should reflect the needs of small and medium sized enterprises.
  • Certification scheme criteria will be approved by the ICO and delivered by accredited certification bodies.
  • Certification will be issued to data controllers and data processors in relation to specific processing activities.
  • Signing up to a certification scheme is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.

In brief

What is the purpose of certification?

Certification is a way of demonstrating that your processing of personal data complies with the GDPR requirements, in line with the accountability principle. Certification can help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product or service, which provides transparency both for data subjects and in business to business relationships.

The GDPR says that certification is also a means to:

  • demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
  • demonstrate that you have appropriate technical and organisational measures to ensure data security (Article 32(3)); and
  • to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).

Who is responsible for certification?

Member states, supervisory authorities (such as the ICO), the European Data Protection Board (EDPB) and the Commission will encourage the use of data protection certification mechanisms as a means to enhance transparency and compliance with the GDPR.

In the UK the certification framework will involve:

  • us publishing accreditation requirements for certification bodies to meet;
  • the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
  • us approving and publishing certification scheme criteria;
  • accredited certification bodies issuing certification against those criteria; and
  • controllers and processors applying for certification and using it to demonstrate compliance.

Across EU member states, the EDPB will collate all EU certification schemes in a public register. There is also scope for a European Data Protection Seal where scheme criteria are approved by EDPB for use in all member states.

What can be certified?

The scope of a certification scheme could be quite general or it could be specific, for example, secure storage and protection of personal data contained within a digital vault.

Certification will relate to a specific personal data processing operation or set of operations. Those processing operations will be assessed against the certification scheme criteria by the accredited Certification Body.

Certification can only be issued to data controllers and data processors and cannot therefore be used to certify individuals, for example data protection officers.

Article 42(2) also allows for the use of certification schemes for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to GDPR for international transfers of personal data. The EDPB plan to provide further guidelines about this in due course.

What must certification scheme criteria contain?

Certification scheme criteria must be:

  • derived from GDPR principles and rules, as required by the certification scheme, ie:
    • lawfulness of processing (Art 6)
    • principles of data processing (Art 5)
    • data subjects’ rights (Art 12-23)
    • obligation to notify data breaches (Art 33)
    • obligation of DP by design and default (Art 25)
    • whether a DPIA has been completed where required (Art35(7)(d)
    • technical and organisational measures put in place (Art 32);
  • formulated in such a way that they are clear and allow practical application;
  • auditable (ie specify objectives and how they can be achieved so as to demonstrate compliance);
  • relevant to the target audience;
  • inter-operable with other standards, for example ISO standards; and
  • scalable for application to different size or type of organisations.

These conditions are outlined in more detail in EDPB ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 - revised version after public consultation’ and ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 - Annex 2’.

Once your organisation has been successfully assessed by the accredited certification body, you will be issued with a data protection certificate, seal or mark relevant to that scheme.

Why should we apply for certification of our processing?

Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it as a way of demonstrating that you comply with the GDPR.

Certification provides a framework for you to follow, thereby helping ensure compliance and offering assurance that specific standards are being adhered to, for example in a processor to controller relationship.

Obtaining certification for your processing can also help you to:

  • be more transparent and accountable - enabling businesses or individuals to distinguish which processing activities, operations and services meet GDPR data protection requirements and they can trust with their personal data;
  • have a competitive advantage;
  • create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
  • improve standards by establishing best practice;
  • help with international transfers; and
  • mitigate against enforcement action.

What are the practical implications for us?

  • As a controller or processor, you could obtain certification for your processing operations, and services. Certification bodies will use independent assessors, giving an independent expert view on whether you meet the scheme criteria. You will need to provide them with all the necessary information and access to your processing activities to enable them to conduct the certification procedure.
  • Certification is valid for a maximum of three years, subject to periodic reviews. These independent reviews provide assurance that the certification can be trusted. However, certifications can be withdrawn if you no longer meet the certification criteria, and the certification body will notify us of this.
  • Your customers can view your certification in a public register of certificates issued by certification bodies.
  • Certification can help you demonstrate compliance, but does not reduce your data protection responsibilities. Whilst certification will be considered as a mitigating factor when we are considering imposing a fine, non-compliance with a certification scheme could also be a reason for issuing a fine.
  • When contracting work to third parties, you may wish to consider whether they hold a GDPR certificate for their processing operations, as part of meeting your due diligence requirements under the GDPR.

What happens next?

At this time, there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates. Once the certification bodies have been accredited to issue GDPR certificates, you will find this information on the ICO’s and UKAS’s websites.

The EDPB are in the process of considering responses to the consultation on the accreditation and certification guidelines and annexes. Therefore certification scheme criteria cannot currently be approved and certification bodies cannot be accredited. See below for relevant EDPB documents and timelines.

Once the EDPB accreditation requirements are finalised, we will submit our own additional requirements to EDPB for their opinion.

In the meantime, we are welcoming enquiries from organisations who are in the process of developing or have developed GDPR certification schemes. You can find our contact details below.

Expected timeline for certification

Summer 2019

  • Final publication of certification and accreditation guidelines and annexes.
  • Additional accreditation requirements drafted and submitted to EDPB for their opinion.
  • Following final approval of the certification annex, we can start accepting certification schemes for approval.

Autumn 2019

  • Additional accreditation requirements finalised and published.

Please note these timelines are dependent on EDPB timelines which are subject to change.

Contact us

For more information, email us at certification@ico.org.uk.

In more detail - European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

Certification Guidelines and Annex

Following the consultation on the ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679’, on the European Data Protection Board’s (EDPB) has published revised guidelines, as adopted on 23 January 2019: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12018-certification-and-identifying-certification_en.

The EDPB has published for consultation 'Annex 2 on the review and assessment of certification criteria pursuant to Article 42(5)' for the above Guidelines:

https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines-12018-certification-and-identifying_en

Consultation closed on 29 March 2019, and the consultation responses are being considered.

Accreditation Guidelines and Annex

Following its consultation, the EDPB has published adopted Guidelines on the accreditation of certification bodies under Article 43 of the GDPR (2016/679).

Consultation on the accreditation annex closed in February and the responses are currently being considered.

The EDPB are also drafting guidelines on certification as an appropriate safeguard for international transfers of personal data (Article 46(2)(f)).