This guidance discusses certification schemes in detail. Read it if you have detailed questions not answered in the Guide to the GDPR, or if you need a deeper understanding. This guidance will be useful for organisations considering writing, monitoring or signing up to a certification scheme.
If you haven’t yet read certification schemes in brief in the guide, you should read that first. It sets out the key points you need to know and includes frequently asked questions regarding certification schemes.
-
How do we apply for GDPR certification?
At a glance
Currently there are no ICO-approved GDPR certification schemes in operation. We will publish information once certification schemes have been approved.
GDPR certification will be issued by UKAS accredited certification bodies against ICO approved certification scheme criteria. To obtain certification once a scheme is in place you will need to apply to the certification body delivering that scheme.
In brief
If, having considered the benefits and practical implications, your organisation is interested in applying for GDPR certification you should:
- Find a scheme – you need to find a scheme that suits your needs for the product or service you want to have certified, and for the nature of your organisation.
- Find a certification body – certification bodies will issue GDPR certifications, so you need to apply directly to them. You can find details of which certification bodies are delivering your chosen scheme on the UKAS website (external link).
- GDPR certification must be for a specific processing operation or set of operations that make up a product, process or service offered by your organisation. You should decide what product, process or service you offer that you want to have assessed and certified. For example, HR processing, online payments system, marketing services or customer management database.
- You need to map the processing operations associated with that product or service to establish what processing you need to be assessed. This is called the ‘object of certification’ or ‘target of evaluation’
- During the scheme application process, you are required to tell the certification body if you are subject to any action by the ICO.
- The ICO will confirm where appropriate that this is the case prior to the certification body issuing or renewing certification. If it is discovered that you have not disclosed any action to the certification body, this may result in them not issuing certification.
- Make sure you have paid your data protection fee. From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.
- If your organisation has a personal data breach during the term of your certification, you are required to notify the certification body so they can assess if you still meet the certification criteria.
- Should the ICO become aware of any compliance issues that might affect your certification we may notify the certification body and they will be required to conduct an investigation to assess if you still meet the certification criteria.
- Ultimately, if you no longer meet the criteria, then your certification can be withdrawn.
You should contact the relevant certification body to find out how much it will cost to carry out an assessment of your processing activity. They normally charge a day rate for conducting audits and testing, so the cost will largely depend on the size of your organisation and the scale and complexity of the processing operations they are assessing.
he certification body will issue a certificate to you. It will state what processing is covered by your certification and how long it is valid for.
The certification may allow you to use and display a specific logo, seal or mark to demonstrate that you have achieved certification. What the mark looks like will depend on which scheme you have applied to.
The certification body is required to keep a publicly available directory of organisations that they have certified. This is usually a register where people can search by your certificate number or company name.
They are also required to make publicly available an executive summary of their evaluation report explaining what is being certified, the certification criteria, the evaluation methods and tests conducted and the results.
They will also send this executive summary to the ICO before issuing the certification.
-
How do we become a certification body?
In brief
- You will go through the UKAS accreditation process where you are evaluated against the standards outlined in ISO 17065 and the UK additional accreditation requirements.
- In order to be eligible for accreditation your organisation needs to be a formal legal entity that can be held legally responsible for its certification activities.
- Your organisation must be located in the UK.
- To ensure impartiality there must be no relevant connection between the certification body and the applicant. For example, you cannot provide consultancy services and certification to the same organisation.
- Your organisation should be able to demonstrate that your certification process complies with the GDPR and the DPA18 certification process. You also have to confirm to UKAS that you are not the subject of any ICO investigation or regulatory action that means you may not meet this requirement.
- Accreditation can take from 6-18 months depending on the nature of your organisation and the complexity of the certification scheme you want to deliver.
- UKAS charge a fee for accreditation. There is more information about the accreditation process and potential costs on the UKAS website.
- Once you know what certification scheme you want to deliver you apply directly to UKAS for accreditation.
- Accreditation includes an assessment of how you plan to audit and test organisations against the certification criteria.
- UKAS provide the ICO with details of applications it receives as well as accreditations they issue, refuse or withdraw.
- They also provide us with a summary of complaints and appeals they receive.
- UKAS are required to notify the ICO of any non-conformity of the certification body that has the potential to lead to suspension or withdrawal of accreditation or could result in an infringement of the GDPR or damage to the integrity of GDPR certification.
- Certification bodies are required to inform the ICO about all applications they receive at the application stage and their reasons for granting/withdrawing certification.
UKAS publish details of accredited certification bodies on their website and we will link to their list of accredited organisations from our website.
As a certification body you are required to create a directory of certified clients containing information required by ISO 17065 and the ICO additional accreditation requirements. This is a publicly accessible record of certifications issued and on what basis. It includes information about the certification mechanism, how long the certifications are valid for and under which framework and conditions.
You can find out more about the requirements for accreditation of certification bodies in the EDPB accreditation guidelines. The UK additional accreditation requirements are based on Annex 1 of these guidelines.
-
How do we develop a certification scheme?
In brief
Certification schemes consist of two key elements:
- The criteria outlining specific data protection requirements. These form the ‘standard’ against which the conformity of a product or service is assessed.
- The audit methodology and testing methods that are used by the certification body to carry out that assessment.
GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of the specific processing operations and how personal data is actually processed. The certification covers a specific/discrete personal data processing operation(s) that forms a product, process or service offered by the controller or processor rather than the whole organisation. For example, a bank may apply to have its online banking certified as being compliant with an appropriate scheme’s criteria.
For personal data, ‘processing’ means any operation(s), which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
For GDPR certification, the ICO is only required to assess the criteria outlining specific data protection requirements. Depending on the nature of your organisation, you may wish to develop only the criteria or a complete scheme. The full scheme including the audit and testing methodology is assessed by UKAS as part of the accreditation process.
The Guide to GDPR certification page contains links to EDPB guidelines on certification and accreditation. Any existing or proposed criteria need to follow these guidelines in order to be approved for use in a GDPR certification scheme and you should read these in detail before proceeding.
A key consideration in determining what a GDPR certification scheme can be about (the scope) is how it will benefit your target market and the individuals who use the product or services being certified. It should explain how the GDPR can be practically applied to a specific processing activity. It should also allow data subjects to easily assess the level of data protection of the products, processes and services offered by controllers and processors.
The scope of a scheme can be specific or more general. A specific scheme might only be aimed at a particular sector for a specific type of product or service, for example online banking portals, and the criteria will specifically relate to the processing operations commonly found in such portals.
A general scheme that aims to cover all aspects of GDPR and can be applied to any processing activity will still need to be granular enough to provide robust and meaningful certification.
You could consider having a general scheme (covering all aspects of GDPR) but with limited application, for example only applying to third party payroll services.
Alternatively, the scope of the scheme could be focused on only one area of the GDPR, for example, transparency or automated decision making.
To help you decide you should consider:
- any general/sectoral/industry data processing issues you might want to address through your scheme. You may want to carry out research and consultation within your proposed target market to ensure that your scheme meets a need and will have market viability;
- where is there a need for enhanced trust;
- how a particular processing activity impacts data subjects and how the proposed criteria or scheme would help them;
- how will the scheme documentation (including any logo, seal or mark) ensure that people can easily and immediately understand what is being certified and what that means for them;
- what schemes are already available; and
- the name of the scheme – does it accurately reflect the scope, and will it be understandable to users?
GDPR certification can only be applied to processing activity contained within a specific product, process or service offered by a controller or processor. Therefore, when developing scheme criteria, you should consider what possible processing operations might be covered under the scope of the scheme and how this might shape the scheme criteria.
You may consider excluding certain types of processing from the scope depending on the nature of the scheme. For example, if the scheme is called “Health Privacy Mark”, any processing that is not health data is out of scope and this should be stated in the scheme documentation.
The criteria should require the controller or processor to make clear where the processing that is subject to evaluation starts and ends, so that the intended audience, including data subjects, understand what exactly is being certified and what that certification means. This is referred to as the ‘object of certification’ or ‘target of evaluation’.
Certification criteria must provide common, specific and practical applications of GDPR principles and rules. In order to provide adequate assurance, the criteria must provide a standard for best practice in data protection – not merely restate the GDPR.
The criteria should clearly explain how the GDPR can be practically applied to the processing operations (target of evaluation), providing examples of technical and organisational measures that they must implement in order to meet the standard.
You need to make sure that the criteria relate to and are directed at the processing operations that you intend to be certified. Criteria for an information management system may make up part of the scheme but cannot be the sole focus of it, therefore you might include a section that covers information governance requirements.
To make it easier for the scheme to be assessed, you should consider the layout of your scheme documents from the start.
The document outlining the criteria (standard) must contain, as a minimum, the following sections, as detailed in Annex 2 of the EDPB certification guidelines:
- Introduction including background and motivation for the scheme, including how the criteria will improve data protection compliance and benefit data subjects.
- Scope of certification mechanism.
- Target of evaluation (ToE) – describing how the ToE should be defined.
- Normative references.
- Terms & Definitions.
- Criteria addressing:
(a) lawfulness of processing (Art 6)
(b) principles of data processing (Art 5)
(c) general obligations of controllers and processors (Chapter IV)
(d) data subjects’ rights (Art 12-23)
(e) obligation to notify data breaches (Art 33)
(f) obligation of DP by design and default (Art 25)
(g) assessment of risks to rights and freedoms of individuals including completion of DPIA where required (Art35(7)(d)
(h) technical and organisational measures guaranteeing protection in line with above
(i) technical and organisational measures to ensure appropriate level of security (Art 32)
(j) other privacy enhancing techniques;
- Criteria for the purpose of demonstrating the existence of appropriate safeguards for international transfers of personal data; and
- Additional criteria for a European Data Protection Seal as appropriate.
It would be helpful to include an explanation for each criterion (where necessary), guidance on how to implement it and how to demonstrate compliance. How compliance is tested will be considered fully as part of the accreditation process for certification bodies and the certification process for controllers and processors.
Certification scheme criteria must be:
- auditable (ie specify objectives and how they can be achieved to demonstrate compliance);
- relevant to the target audience;
- inter-operable with other standards, for example ISO standards; and
- scalable for application to different size or type of processing/organisations.
If you are a developing a complete certification scheme rather than just the criteria, then you also need to develop a scheme manual or equivalent document outlining the methods for evaluation and testing conformity against the certification criteria.
The nature of the evaluation should consider the scope of the scheme and the potential processing operations it may be applied to, as this will have an impact on the significance and value of the certification. For example, reducing the extent of evaluation for practical purposes or to reduce costs, will reduce the significance of the certification.
If you have only developed the criteria or standard, you may still need to consider providing guidance for certification bodies who will carry out conformity assessment activities against those criteria. This guidance may outline specific requirements (where specific requirements exist) taking into account the potential target of evaluation. For example, it may include requirements for audit and testing methodology, and expertise of certification body personnel carrying out the assessment.
If the scheme includes a seal or mark that can be used by the controller or processor to signify successful completion of the certification procedure, then you need to demonstrate that you have protected those marks and laid down rules for their use.
The design of the mark or seal should help the public understand the meaning of the certification where possible. For example, a ‘Health Privacy Mark’ would indicate to the public that the certification is about enhanced privacy of their health information.
You should consider testing your scheme with a number of volunteer organisations. This will help ensure that the scheme is fit for purpose.
If you are not proposing to deliver the scheme yourself, you may want to contact prospective certification bodies who can help you test your scheme.
We appreciate that developing a certification scheme can be a complex process, so we welcome informal discussions with organisations as part of their development phase.
This should ensure that scheme criteria are developed in line with the relevant guidelines and requirements.
You can contact ICO at [email protected].
You need to provide:
- a fully completed application form;
- a ‘Criteria catalogue’ or ‘Standard’ outlining the criteria and containing the sections outlined above;
- guidance for certification bodies who will be carrying out conformity assessment activities. This may outline the required conformity assessment methodology and any other specific requirements as described above;
- a use case (actual or theoretical worked example) to demonstrate how the certification criteria could be applied in practise;
- details of any consultation you have carried out during the development of your certification criteria or scheme; and
- results of any testing carried out.
When you submit the scheme criteria, we will perform initial triage of the documentation to determine if it satisfies the following:
- It contains company details and point of contact (incl. company registration no.).
- It is laid out in a logical and understandable way.
- The scope is clearly defined, meaningful and not misleading.
- The scope includes all relevant aspects of processing to be addressed by the scheme.
- It allows meaningful GDPR certification, taking into account the nature, content, risk and scope of processing.
- The territorial scope is defined.
- The criteria sufficiently describe how the object of certification/ target of evaluation (ToE) should be defined by the controller/processor.
- The criteria guarantee that the resulting certification will be understandable to intended audience including data subjects.
- It includes a case study or worked examples of how the criteria could be applied to enable understanding of how the criteria can be applied in real-life situations.
- The relevant terms are defined, and normative references identified.
- The criteria include a description of GDPR responsibilities, procedures and processing covered by the scope.
- It appears on first inspection to cover all relevant sections of GDPR that relate to the scope, ie principles, rights, lawful basis, data protection by design and default, requirement to assess risks to rights and freedoms of individuals.
- It identifies a clear market need and has considered the commercial viability of the scheme.
UKAS will also assess the proposed scheme criteria to ensure that they are suitable for accreditation (ie the GDPR certification criteria in the scheme are fit for purpose, measurable, deliver the right outcomes and has been established in consultation with relevant stakeholders).
If the scheme criteria meet the above requirements we will then carry out a full assessment in line with Annex 1 of the EDPB certification guidelines. This may include the scheme owner meeting with the ICO to discuss the scheme criteria in more detail.
Ultimately, the ICO will approve criteria based on how well they are likely to improve data protection compliance of controllers and processors and benefit the information rights of data subjects.
Once any required changes are made and the criteria meet the full requirements enabling controllers and processors to demonstrate compliance with the GDPR then we will issue a draft approval.
In order to ensure consistency in GDPR certification across all EU member states, and while EU law continues to apply to the UK, we are required to submit our draft decision to EDPB for their opinion. The opinion process takes 8 – 14 weeks. However, there is a recommended informal phase that takes place beforehand. Whilst this will add time to the approval process, it allows us to get early feedback from other member states and seek further information from the scheme owner, before submitting a draft decision for an EDPB opinion. This should help ensure a positive outcome. It also allows for any necessary changes to be made to the scheme, as once formally submitted no further changes can be made until the opinion has been issued.
Once the criteria are finalised the details are published on our website and on the EDPB ‘register of certification mechanisms, seals and marks’.
Please note it is a requirement for scheme criteria to be made publicly available.
-
Submit your certification scheme
The ICO appreciates that developing a certification scheme can be a complex process, this application process will outline if you are at the right stage to submit certification scheme criteria. The ICO also welcomes informal discussions with organisations as part of their development phase. This should ensure that scheme criteria are developed in line with the relevant guidelines and requirements. You can contact ICO at [email protected].
Certification Scheme application processFor organisations; external link
-
Register of certification scheme criteria
Currently there are no ICO-approved GDPR certification schemes in operation.
We will publish the relevant information here once certification schemes have been approved.
Thank you for reading.