Certification schemes Detailed Guidance

Certification schemes consist of two key elements:

• The criteria outlining specific data protection requirements. These form the ‘standard’ against which the conformity of a product or service is assessed.
• The audit methodology and testing methods that are used by the certification body to carry out that assessment.

GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of the specific processing operations and how personal data is actually processed. The certification covers a specific/discrete personal data processing operation(s) that forms a product, process or service offered by the controller or processor rather than the whole organisation. For example, a bank may apply to have its online banking certified as being compliant with an appropriate scheme’s criteria.

For personal data, ‘processing’ means any operation(s), which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

For GDPR certification, the ICO is only required to assess the criteria outlining specific data protection requirements. Depending on the nature of your organisation, you may wish to develop only the criteria or a complete scheme. The full scheme including the audit and testing methodology is assessed by UKAS as part of the accreditation process.

The Guide to GDPR certification page contains links to EDPB guidelines on certification and accreditation. Any existing or proposed criteria need to follow these guidelines in order to be approved for use in a GDPR certification scheme and you should read these in detail before proceeding.

A key consideration in determining what a GDPR certification scheme can be about (the scope) is how it will benefit your target market and the individuals who use the product or services being certified. It should explain how the GDPR can be practically applied to a specific processing activity. It should also allow data subjects to easily assess the level of data protection of the products, processes and services offered by controllers and processors.

The scope of a scheme can be specific or more general. A specific scheme might only be aimed at a particular sector for a specific type of product or service, for example online banking portals, and the criteria will specifically relate to the processing operations commonly found in such portals.

A general scheme that aims to cover all aspects of GDPR and can be applied to any processing activity will still need to be granular enough to provide robust and meaningful certification.

You could consider having a general scheme (covering all aspects of GDPR) but with limited application, for example only applying to third party payroll services.

Alternatively, the scope of the scheme could be focused on only one area of the GDPR, for example, transparency or automated decision making.

To help you decide you should consider:

• any general/sectoral/industry data processing issues you might want to address through your scheme. You may want to carry out research and consultation within your proposed target market to ensure that your scheme meets a need and will have market viability;
• where is there a need for enhanced trust;
• how a particular processing activity impacts data subjects and how the proposed criteria or scheme would help them;
• how will the scheme documentation (including any logo, seal or mark) ensure that people can easily and immediately understand what is being certified and what that means for them;
• what schemes are already available; and
• the name of the scheme – does it accurately reflect the scope, and will it be understandable to users?

GDPR certification can only be applied to processing activity contained within a specific product, process or service offered by a controller or processor. Therefore, when developing scheme criteria, you should consider what possible processing operations might be covered under the scope of the scheme and how this might shape the scheme criteria.

You may consider excluding certain types of processing from the scope depending on the nature of the scheme. For example, if the scheme is called “Health Privacy Mark”, any processing that is not health data is out of scope and this should be stated in the scheme documentation.

The criteria should require the controller or processor to make clear where the processing that is subject to evaluation starts and ends, so that the intended audience, including data subjects, understand what exactly is being certified and what that certification means. This is referred to as the ‘object of certification’ or ‘target of evaluation’.

Certification criteria must provide common, specific and practical applications of GDPR principles and rules. In order to provide adequate assurance, the criteria must provide a standard for best practice in data protection – not merely restate the GDPR.

The criteria should clearly explain how the GDPR can be practically applied to the processing operations (target of evaluation), providing examples of technical and organisational measures that they must implement in order to meet the standard.

You need to make sure that the criteria relate to and are directed at the processing operations that you intend to be certified. Criteria for an information management system may make up part of the scheme but cannot be the sole focus of it, therefore you might include a section that covers information governance requirements.

To make it easier for the scheme to be assessed, you should consider the layout of your scheme documents from the start.

The document outlining the criteria (standard) must contain, as a minimum, the following sections, as detailed in Annex 2 of the EDPB certification guidelines:

1. Introduction including background and motivation for the scheme, including how the criteria will improve data protection compliance and benefit data subjects.
2. Scope of certification mechanism.
3. Target of evaluation (ToE) – describing how the ToE should be defined.
4. Normative references.
5. Terms & Definitions.
6. Criteria addressing:

(a) lawfulness of processing (Art 6)

(b) principles of data processing (Art 5)

(c) general obligations of controllers and processors (Chapter IV)

(d) data subjects’ rights (Art 12-23)

(e) obligation to notify data breaches (Art 33)

(f) obligation of DP by design and default (Art 25)

(g) assessment of risks to rights and freedoms of individuals including completion of DPIA where required (Art35(7)(d)

(h) technical and organisational measures guaranteeing protection in line with above

(i) technical and organisational measures to ensure appropriate level of security (Art 32)

(j) other privacy enhancing techniques;

7. Criteria for the purpose of demonstrating the existence of appropriate safeguards for international transfers of personal data; and
8. Additional criteria for a European Data Protection Seal as appropriate.

It would be helpful to include an explanation for each criterion (where necessary), guidance on how to implement it and how to demonstrate compliance. How compliance is tested will be considered fully as part of the accreditation process for certification bodies and the certification process for controllers and processors.

Certification scheme criteria must be:

• auditable (ie specify objectives and how they can be achieved to demonstrate compliance);
• relevant to the target audience;
• inter-operable with other standards, for example ISO standards; and
• scalable for application to different size or type of processing/organisations.

If you are a developing a complete certification scheme rather than just the criteria, then you also need to develop a scheme manual or equivalent document outlining the methods for evaluation and testing conformity against the certification criteria.

The nature of the evaluation should consider the scope of the scheme and the potential processing operations it may be applied to, as this will have an impact on the significance and value of the certification. For example, reducing the extent of evaluation for practical purposes or to reduce costs, will reduce the significance of the certification.

If you have only developed the criteria or standard, you may still need to consider providing guidance for certification bodies who will carry out conformity assessment activities against those criteria. This guidance may outline specific requirements (where specific requirements exist) taking into account the potential target of evaluation. For example, it may include requirements for audit and testing methodology, and expertise of certification body personnel carrying out the assessment.

If the scheme includes a seal or mark that can be used by the controller or processor to signify successful completion of the certification procedure, then you need to demonstrate that you have protected those marks and laid down rules for their use.

The design of the mark or seal should help the public understand the meaning of the certification where possible. For example, a ‘Health Privacy Mark’ would indicate to the public that the certification is about enhanced privacy of their health information.

You should consider testing your scheme with a number of volunteer organisations. This will help ensure that the scheme is fit for purpose.

If you are not proposing to deliver the scheme yourself, you may want to contact prospective certification bodies who can help you test your scheme.

We appreciate that developing a certification scheme can be a complex process, so we welcome informal discussions with organisations as part of their development phase.

This should ensure that scheme criteria are developed in line with the relevant guidelines and requirements.

You can contact ICO at [email protected].

You need to provide:

• a fully completed application form;
• a ‘Criteria catalogue’ or ‘Standard’ outlining the criteria and containing the sections outlined above;
• guidance for certification bodies who will be carrying out conformity assessment activities. This may outline the required conformity assessment methodology and any other specific requirements as described above;
• a use case (actual or theoretical worked example) to demonstrate how the certification criteria could be applied in practise;
• details of any consultation you have carried out during the development of your certification criteria or scheme; and
• results of any testing carried out.

When you submit the scheme criteria, we will perform initial triage of the documentation to determine if it satisfies the following:

• It contains company details and point of contact (incl. company registration no.).
• It is laid out in a logical and understandable way.
• The scope is clearly defined, meaningful and not misleading.
• The scope includes all relevant aspects of processing to be addressed by the scheme.
• It allows meaningful GDPR certification, taking into account the nature, content, risk and scope of processing.
• The territorial scope is defined.
• The criteria sufficiently describe how the object of certification/ target of evaluation (ToE) should be defined by the controller/processor.
• The criteria guarantee that the resulting certification will be understandable to intended audience including data subjects.
• It includes a case study or worked examples of how the criteria could be applied to enable understanding of how the criteria can be applied in real-life situations.
• The relevant terms are defined, and normative references identified.
• The criteria include a description of GDPR responsibilities, procedures and processing covered by the scope.
• It appears on first inspection to cover all relevant sections of GDPR that relate to the scope, ie principles, rights, lawful basis, data protection by design and default, requirement to assess risks to rights and freedoms of individuals.
• It identifies a clear market need and has considered the commercial viability of the scheme.

UKAS will also assess the proposed scheme criteria to ensure that they are suitable for accreditation (ie the GDPR certification criteria in the scheme are fit for purpose, measurable, deliver the right outcomes and has been established in consultation with relevant stakeholders).

If the scheme criteria meet the above requirements we will then carry out a full assessment in line with Annex 1 of the EDPB certification guidelines. This may include the scheme owner meeting with the ICO to discuss the scheme criteria in more detail.

Ultimately, the ICO will approve criteria based on how well they are likely to improve data protection compliance of controllers and processors and benefit the information rights of data subjects.

Once any required changes are made and the criteria meet the full requirements enabling controllers and processors to demonstrate compliance with the GDPR then we will issue a draft approval.

In order to ensure consistency in GDPR certification across all EU member states, and while EU law continues to apply to the UK, we are required to submit our draft decision to EDPB for their opinion. The opinion process takes 8 – 14 weeks. However, there is a recommended informal phase that takes place beforehand. Whilst this will add time to the approval process, it allows us to get early feedback from other member states and seek further information from the scheme owner, before submitting a draft decision for an EDPB opinion. This should help ensure a positive outcome. It also allows for any necessary changes to be made to the scheme, as once formally submitted no further changes can be made until the opinion has been issued.

Once the criteria are finalised the details are published on our website and on the EDPB ‘register of certification mechanisms, seals and marks’.

Please note it is a requirement for scheme criteria to be made publicly available.