UK GDPR

Associated Standard

  • ISO/IEC 17065:2012 Conformity assessment — Requirements for bodies certifying products, processes and services 

About the programme

The EU General Data Protection Regulation (GDPR) became part of UK law from 25 May 2018. The Regulation contains provisions and requirements pertaining to the processing of personal data. After leaving the EU, the requirements in the GDPR were included in UK legislation in the ‘UK GDPR’ which sits alongside the UK Data Protection Act. 

The GDPR applies to ‘controllers’ and ‘processors’ of personal data and both are required to show compliance. A controller determines how and why personal data is processed; a processor is responsible for processing personal data on behalf of a controller in accordance with their instructions.  Both controllers and processors are subject to GDPR requirements and are required to demonstrate this compliance. Articles 42 and 43 of the GDPR provide for GDPR certification as a voluntary mechanism for verifying and demonstrating compliance. 

UKAS has been working closely with the Information Commissioners Office (ICO) on the framework for UK GDPR certification and the processes involved; specifically, on the development of certification and accreditation requirements for UK GDPR schemes. The UK GDPR stipulates that Certification Bodies which deliver approved UK GDPR certification schemes must be accredited against the requirements of ISO/IEC 17065:2012 and the additional requirements set by the ICO (UK additional accreditation requirements.).

Current status

The final certification and accreditation annexes to the EDPB guidelines have been adopted. The ICO have published the UK additional accreditation requirements.