The EDPB has adopted guidelines on GDPR “certification” (“Guidelines”) which aim to provide advice on the interpretation and implementation of GDPR certification (an undefined term in the GDPR). Once certified, an organisation can display a seal or mark to show that the organisation is GDPR compliant. Restricted transfers to certified organisations will therefore be allowed provided that the organisation makes commitments to apply appropriate safeguards.
The Guidelines are intended to assist member states, supervisory authorities and certification bodies in their approaches to a certification mechanism.
There are currently no approved certification schemes or accredited certification bodies for issuing GDPR certificates in the UK and the ICO does not have any current plans to accredit certification bodies or to carry out certification. In the event that the ICO focusses on certification or for organisations whose supervisory authorities are not in the UK, the Guidelines will be useful. Certification can be an easy win for organisations to demonstrate GDPR compliance and provide transparency and reassurance to other organisations and individuals about the level of data protection safeguarding measures that they have in place.
The Guidelines can be accessed here.