Want a certificate for all your hard work on GDPR?

Later this year, “certification” will come into effect as a way for both data controllers and processors subject to UK data protection laws to demonstrate compliance with the European Union's General Data Protection Regulation (GDPR). If a company can show compliance with a particular “certification scheme,” it will be issued with a certificate, seal or mark that the company can display to demonstrate its compliance.

How will certification work?

  • “Certification schemes” will be established. Certification schemes will be a set of criteria or standards that companies can follow to demonstrate compliance with either a specific or general rule of GDPR (for example, on secure storage or personal data either generally or in specific locations/circumstances). Certification schemes will be created by companies putting forward suggestions to the UK Information Commissioner’s Office (ICO), for approval and publishing. The ICO will consider the proposals submitted by participating companies and will determine the schemes that will be allowed.
  • Those certification schemes will then be “delivered” (or, administered) by accredited certification bodies. These bodies will have the power to run certification schemes once a body has been approved by the UK Accreditation Service (UKAS), the national accreditation body, applying accreditation requirements issued by the ICO.
  • Companies can then apply to an accrediting certification body for “certification” that the company complies with a particular certification scheme.
  • Certification is valid for a maximum of three years, subject to periodic reviews — and certifications can be withdrawn if companies no longer meet the certification criteria.

Do companies have to get certified?

No. Signing up to a certification scheme is voluntary. However, if there is an approved certification scheme that covers a company’s processing activity, it may wish to consider working towards that goal, as:

  1. it can help a company demonstrate compliance to the ICO, the public, and its customers;
  2. this may be an important part of public relations, if the company operates in the IT security sector or handles a lot of special category personal data; and
  3. it will be considered as a mitigating factor if the ICO imposes a fine in the future.

However, while certification will be considered as a mitigating factor when the ICO imposes a fine, non-compliance with a certification scheme could also be a reason for issuing a fine.

Does being certified mean that an organization is GDPR compliant?

Certification can help an entity demonstrate compliance with GDPR, but it does not reduce data protection responsibilities.

When is the timeline for certification?

At this time, there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates, as we are still awaiting the final publication of the European Data Protection Boards’ (EDPB) certification and accreditation guidelines and annexes, and the ICO is awaiting approval of its draft additional accreditation requirements from the EDPB.

It is expected that by autumn 2019, the ICO will issue the accreditation requirements for accrediting certification bodies and certification schemes will start being published. Businesses will then be able to decide whether to apply for certification.