What steps are being proposed by the UK’s ICO to protect personal data being transferred outside the UK?

The key takeaway

Three new schemes have been approved by the ICO in order to provide guidance for organisations on compliance with data protection law. They cover: 1) handling personal data correctly when equipment is destroyed; 2) age assurance; and 3) children’s privacy online. Organisations will be able to apply for certification under any of the three schemes. Upon being certified, organisations will have evidence of their compliance, enabling them to show that they satisfy certain standards on data protection. It will also protect consumers and give them greater trust in the organisations that achieve certification.

The background

The General Data Protection Regulation came into force in May 2018. After the Brexit transition period, the GDPR was incorporated into British law through the UK GDPR which came into force on 1 January 2021.

The key provision that relates to the certification scheme is Article 42 of the UK GDPR. This effectively states that the ICO will be encouraged to establish these sorts of certification schemes. It also states that the ICO and other relevant certification bodies will be responsible for the assessment of organisations’ compliance with the standards and then the approval or withdrawal of certifications. The three newly developed schemes are the first example of the ICO exercising this power under the UK GDPR.

The development

On 19 August, the ICO announced that it had approved the first UK GDPR certification scheme criteria. The three schemes that were approved are as follows:

ADISA ICT Asset Recovery Certification

This certification relates to recovery services which includes processing activities and data sanitisation. It covers applicants who are either data processors or sub-processors. Its aim is to assist controllers in managing compliance within asset recovery. Applicants will be assessed against four criteria:

  1. Business credentials: This includes credit scores, insurance details and other business requirements
  2. UK GDPR and UK DPA 2018 Compliance: This is an overview of general compliance, which includes incident and data breach management and information governance
  3. Risk management: This includes assessment of an organisation’s logistics and data sanitisation
  4. Non-data service: This includes waste management and reuse.

For applicants to be certified, they will need to pass a full ADISA audit against the criteria.

Age Check Certification Scheme (ACCS)

This scheme is relevant to all Age Check Providers covering a range of age determination, age categorisation and age estimation. This certification will be used to ensure that age check systems are effective. This is vital for organisations that provide anything (goods, services, content) that is age gated.

Whilst there is an extensive list of technical requirements on the processing of personal data for organisations that wish to be certified, the key point is that the standards require applicants to have a publicly stated commitment to reduce the access children have to age-restricted goods.

Age Appropriate Design Certification Scheme (AADCS)

This scheme is relevant to all organisations that process data for services likely to be accessed by children. Apps, websites, social media platforms and online marketplaces are likely to be in scope.

The key requirement is that any organisation certified must identify the needs of children and support those needs when processing personal data. Some of the requirements are outlined below:

  1. keep children safe from exploitation risks
  2. protect children’s health and wellbeing
  3. protect and support children’s physical, physiological and emotional development.

The full list of actions is contained within the ICO guidance. Organisations will also need to undertake Data Protection Impact Assessments with a particular focus on the rights of and risks to children.

Why is this important?

While these first three sets of criteria have only been released, they are likely to become important stamps of compliance for organisations.

Consumers are also becoming increasingly aware of their own personal data rights. They may start to demand that the organisations they buy from have been certified to comply with the standards set out by the ICO.

Any practical tips?

If seeking certification, organisations should review the relevant ICO guidance in-depth. The ICO has issued comprehensive advice for each of the three schemes, which must be adhered to if you wish to be certified.

For companies offering services likely to be of interest to children, careful consideration of these schemes is highly recommended as is ensuring that no stone is left unturned in ensuring that all relevant safeguards are in place to ensure that children’s data is protected.

Organisations are well-advised to keep watching the developments in data compliance like a hawk, and to remain nimble and as responsive as possible to the changing regulatory landscape. It goes without saying that those involved in age-sensitive content or products must remain particularly tuned in, both to the ongoing compliance risks but also the opportunities opening up through developments like these new certification schemes.