The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

Currently there are no ICO-approved GDPR certification schemes in operation. We will publish information once certification schemes have been approved.

GDPR certification will be issued by UKAS accredited certification bodies against ICO approved certification scheme criteria. To obtain certification once a scheme is in place you will need to apply to the certification body delivering that scheme.

In brief

What are the requirements?

If, having considered the benefits and practical implications, your organisation is interested in applying for GDPR certification you should:

  • Find a scheme – you need to find a scheme that suits your needs for the product or service you want to have certified, and for the nature of your organisation.
  • Find a certification body – certification bodies will issue GDPR certifications, so you need to apply directly to them. You can find details of which certification bodies are delivering your chosen scheme on the UKAS website.
  • GDPR certification must be for a specific processing operation or set of operations that make up a product, process or service offered by your organisation. You should decide what product, process or service you offer that you want to have assessed and certified. For example, HR processing, online payments system, marketing services or customer management database.
  • You need to map the processing operations associated with that product or service to establish what processing you need to be assessed. This is called the ‘object of certification’ or ‘target of evaluation’

What should we consider before applying?

  • During the scheme application process, you are required to tell the certification body if you are subject to any action by the ICO.
  • The ICO will confirm where appropriate that this is the case prior to the certification body issuing or renewing certification. If it is discovered that you have not disclosed any action to the certification body, this may result in them not issuing certification.
  • Make sure you have paid your data protection fee. From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.
  • If your organisation has a personal data breach during the term of your certification, you are required to notify the certification body so they can assess if you still meet the certification criteria.
  • Should the ICO become aware of any compliance issues that might affect your certification we may notify the certification body and they will be required to conduct an investigation to assess if you still meet the certification criteria.
  • Ultimately, if you no longer meet the criteria, then your certification can be withdrawn.

How much does it cost to be certified?

You should contact the relevant certification body to find out how much it will cost to carry out an assessment of your processing activity. They normally charge a day rate for conducting audits and testing, so the cost will largely depend on the size of your organisation and the scale and complexity of the processing operations they are assessing.

How will people know about our certification?

The certification body will issue a certificate to you. It will state what processing is covered by your certification and how long it is valid for.

The certification may allow you to use and display a specific logo, seal or mark to demonstrate that you have achieved certification. What the mark looks like will depend on which scheme you have applied to.

The certification body is required to keep a publicly available directory of organisations that they have certified. This is usually a register where people can search by your certificate number or company name.

They are also required to make publicly available an executive summary of their evaluation report explaining what is being certified, the certification criteria, the evaluation methods and tests conducted and the results.

They will also send this executive summary to the ICO before issuing the certification.