Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms set up by data protection authorities. The ICO has approved such a certification mechanism for three UK GDPR certification schemes in the following areas:
- Disposal of IT Assets – The Asset Disposal and Information Security Alliance (ADISA) has developed a standard that ensures that personal data is handled appropriately if IT equipment is reused or destroyed. This program is aimed at companies providing IT asset disposal services and focuses on IT asset recovery and data cleansing. There are currently no certification authorities listed on the ICO website that provide this scheme.
- Old Age Insurance – Age Check Certification Scheme (ACCS) developed this scheme, which contains data protection criteria for organizations that operate or use old-age insurance products. These enable companies to estimate or verify a person’s age so that they can access products or services with age restrictions; and
- Age-appropriate design, especially children’s online privacy. This scheme, also developed by ACCS, offers criteria for the age-appropriate design of information society services based on the ICO’s children’s code. The certification body for both ACCS programs is Age Check Certification Services Ltd.
The ICO has commented that in these “constantly evolving” areas, “increased trust and accountability in the protection of personal data is critical”.
What is a certification?
Certification is provided for in accordance with Article 42 UK GDPR. It offers organizations the opportunity to demonstrate compliance with data protection regulations by meeting the standards set out in the certification system. In order to receive certification, controllers and processors must enter into binding and enforceable obligations towards the certification bodies. The UK GDPR states that certification is a means of demonstrating appropriate technical and organizational measures, compliance with data protection regulations through technology design and default settings, and a means of supporting the international transfer of personal data. System criteria can be developed by organizations with expertise in a specific area, or they can be more general.
Applying for certification is voluntary. Depending on the size of your organization, the responsible certification body may charge a fee for carrying out audits and tests. An organization may consider having its processing activities certified to take advantage of the benefits of certification, namely:
- To demonstrate compliance with the UK GDPR to the supervisory authority and business partners;
- Show transparency and accountability;
- To gain the trust of customers who use the organisation’s products, processes and services;
- To gain a competitive advantage; and
- Improve standards by ensuring that the organization is following the latest best practices.
Data controllers may choose to include a certification scheme requirement in their vendor specification to ensure that their data processors or sub-processors are measured against ICO-approved criteria.
The certification bodies keep a publicly accessible directory of the organizations that have received certification and publish a summary of the certification criteria, the assessment methods and the results of the tests carried out. The certification is valid for a maximum of three years if checked regularly. If the criteria of the certification program are no longer met, the certification can be withdrawn. Please see a link here if you would like to register for a certification program.
The ICO would like to speak to organizations interested in developing certification systems. They have posted information on how to apply for UK GDPR certification in their guide which can be found here. It is therefore likely that further certification systems will emerge in the coming months.