UK ICO approves the first UK GDPR certification scheme criteria


On August 19, 2021, the UK Information Commissioner’s Office (“ICO”) approved the criteria for three certification schemes under Article 42 (5) of the UK GDPR. Certification systems are a way for companies to demonstrate compliance with the UK GDPR.

The ICO has approved criteria for the following programs:

  • ADISA ICT Asset Recovery Certification 8.0: This certification standard was developed for data processors or sub-processors who offer data cleansing services to ensure that personal data is permanently removed from IT equipment (e.g. computer hard drives or photocopiers) and reused or destroyed.
  • Age Check Certification Scheme (“ACCS”): The ACCS program is designed to verify that old-age insurance and products are functioning correctly to enable organizations to estimate or verify an individual’s age (e.g., for access to age-restricted products or services).
  • Age Appropriate Design Certification Scheme (“AADCS”): The AADCS program addresses children’s online privacy and provides age-appropriate design criteria for information society services in accordance with the ICO’s Age Appropriate Design Code (the “Code”). This certification scheme is likely to benefit organizations subject to the Code, which has a deadline of September 2, 2021.

After approval by the ICO, the United Kingdom Accreditation Service (“UKAS”) accredited certification bodies that can now issue certifications according to the recognized criteria. The Age Check Certification Scheme Ltd has been recognized as a UKAS accredited certification body for the ACCs and AADCS. There is currently no UKAS accredited certification body for ADISA certification.