On August 19, 2021, the Information Commissioner’s Office (ICO) announced its approval of the first criteria of the UK GDPR certification system. As with other certification schemes, an ICO system works by providing a framework that organizations can follow in relation to a particular area or topic, and if the organization achieves the standards set in the framework, they are considered “certified”.

While certification is of course beneficial for an organization from a legal point of view, as it shows a commitment to data protection compliance, certification very often also gives the organization a competitive advantage, as it provides a high level of compliance in the area that may be affected , demonstrated is attractive to a customer or partner, while a competitor may not have achieved the same standard. For example, it is common today that when a company is onboarding new service providers, they expect the service provider to have achieved, or at least work towards, certain information security certifications.

The first three approved programs are:

  1. ADISA ICT Asset Recovery Certification: aims to ensure that personal data is handled appropriately if IT equipment is reused or destroyed.
  2. Age Proof Certification System: Tests that pension products are functioning correctly (ie products that estimate or verify a person’s age).
  3. Age-appropriate design certification system: deals with the online privacy of children and provides criteria for the age-appropriate design of information society services based on the ICO Children’s Code.

Given their nature and scope, it is not surprising that these were the first three programs announced. As for most data protection agencies, personal data security is always a high priority, and it is likely that we will see many more security-focused programs approved by the ICO in the near future. In addition, the protection of personal data of children on the Internet is a very high priority of the ICO, which is evidenced by the Children’s Code. For organizations subject to the Code, compliance is required from September 2, 2021. As this date is fast approaching and many organizations are not entirely clear on how to translate the principles of the Children’s Code into technical and practical measures, it is likely that the relevant design certification system will gain in importance over the next few months.

The ICO has stated that it is interested in discussing the development of other certification systems with experts. So this is probably just the beginning of the ICO approving certification schemes that companies can leverage from both a compliance and commercial perspective.