GDPR – the purposes of certification

01 Dec 2018

The Information Commissioner’s Office (ICO) has produced guidance on how businesses can demonstrate compliance with UK GDPR through certification.

Certification is a way of demonstrating that your processing of personal data complies with the UK GDPR requirements, in line with the accountability principle. Certification can help demonstrate data protection in a practical way to businesses, individuals and regulators. Your customers can use certification as a means to quickly assess the level of data protection of your particular product, process or service, which provides transparency both for data subjects and in business to business relationships.

The UK GDPR says that certification is also a means to:

demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
demonstrate that you have appropriate technical and organisational measures to ensure data security (Article 32(3)); and
support transfers of personal data to third countries or international organisations (Article 46(2)(f)).

Who is responsible for certification?
The ICO will encourage the use of data protection certification mechanisms as a means to enhance transparency and compliance with the UK GDPR.

The certification framework will involve:

ICO publishing accreditation requirements for certification bodies to meet;
the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
ICO approving and publishing certification criteria;
accredited certification bodies issuing certification against those criteria;
controllers and processors applying for certification and using it to demonstrate compliance; and
the ICO maintaining a public register of approved certification schemes.

What can be certified?
The scope of a certification scheme could be quite general and be applied to a variety of different products, processes or services, or it could be specific, for example, secure storage and protection of personal data contained within a digital vault.

Certification will relate to specific personal data processing operations that take place in a product, process or service offered by a controller or processor. Those processing operations will be assessed against the certification criteria by the accredited certification body.

Certification can only be issued to data controllers and processors and cannot therefore be used to certify individuals, for example data protection officers.

Article 42(2) also allows for the use of certification schemes for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to UK GDPR for international transfers of personal data.

Why should we apply for certification of our processing?
Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it as a way of demonstrating that you comply with the UK GDPR.

Certification provides a framework for you to follow, thereby helping ensure compliance and offering assurance that specific standards are being adhered to, for example in a processor to controller relationship.

Obtaining certification for your processing can also help you to:

be more transparent and accountable - enabling businesses or individuals to distinguish which processing activities, operations and services meet UK GDPR data protection requirements and they can trust with their personal data;
have a competitive advantage;
create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
improve standards by establishing best practice;
enable international transfers; and
mitigate against enforcement action.

What happens next?
At this time, there are no approved certification criteria or accredited certification bodies for issuing UK GDPR certificates. Once the certification bodies have been accredited to issue UK GDPR certificates, you will find this information on the ICO and UKAS websites.

ICO has published its additional accreditation requirements, which allows UKAS to accredit certification bodies to deliver UK GDPR schemes using ICO-approved certification criteria.

ICO has finalised its submission process for the formal approval of UK GDPR certification criteria and welcomes enquiries from organisations in the process of developing or have developed UK GDPR certification criteria. You can find out more about this in the detailed guidance.

Frequently asked questions are answered here.