» GDPR certification

21 June, 2019

The EU General Data Protection Regulation (GDPR) became part of UK law from 25 May 2018.  The Regulation contains provisions and requirements pertaining to the processing of personal data.

The GDPR applies to ‘controllers’ and ‘processors’ of personal data.  A controller determines how and why personal data is processed; a processor is responsible for processing personal data on behalf of a controller in accordance with their instructions. Both controllers and processors are subject to GDPR requirements and are required to demonstrate their compliance. Articles 42 and 43 of the GDPR provide for GDPR certification as a voluntary mechanism for verifying and demonstrating compliance. The Information Commissioner’s Office (ICO) in the UK and its counterparts in Member States are promoting certification as an effective way for organisations to demonstrate compliance with the GDPR.   

UKAS has been working closely with the ICO on the framework for GDPR certification and the processes involved; specifically on the development of certification and accreditation requirements for UK GDPR schemes in line with European Data Protection Board (EDPB) guidelines. The EDPB is the EU organisation in charge of the application of the GDPR and is composed of the supervisory authorities from all Member States (in the UK this is the ICO). Once approved by the ICO, GDPR certification scheme criteria will need to be submitted to the EDPB for its opinion. The GDPR stipulates that certification bodies which deliver approved GDPR certification schemes must be accredited against the requirements of ISO/IEC 17065:2012 and the additional requirements set by the ICO. 

The final certification and accreditation annexes to the EDPB guidelines have been adopted, and we are working with the ICO to determine any UK specific additional accreditation requirements for submission to the EDPB in the autumn. UKAS and the ICO will continue to work together to finalise details of the certification scheme application process and requirements. The ICO is aiming to be in a position to publish the process and requirements in autumn 2019.

UKAS will then be able to gauge the likely level of interest there may be from organisations which wish to become accredited certification bodies through an Expression of Interest.   Meanwhile we would welcome discussion on possible certification schemes with scheme owners. Please contact David.Hayward@ukas.com if you would like to discuss possible certification schemes or if you have any queries about what schemes need to consider.

For more information on GDPR certification and data protection please see the ICO’s website:   https://ico.org.uk/