GDPR and Certification

May 3, 2019

The European Data Protection Board (EDPB) are in the process of considering responses to a consultation on the accreditation and certification guidelines for GDPR.

At this time, there are no approved certification schemes or accredited certification bodies for issuing GDPR certificates. Once certification bodies have been accredited to issue GDPR certificates, you will find this information on the ICO’s and UKAS’s websites.

In the meantime, the ICO are welcoming enquiries from organisations who are in the process of developing or have developed GDPR certification schemes.

Certification is a way for an organisation to demonstrate compliance with GDPR. The certification scheme criteria will be approved by the ICO and can cover a specific issue or be more general. Once an accredited certification body has assessed and approved an organisation, it will issue the data protection certificate, seal or mark relevant to that scheme.

In short:

  • Certification schemes will be a way to demonstrate your compliance with the GDPR and enhance transparency.
  • Certification schemes should reflect the needs of small and medium sized enterprises.
  • Certification scheme criteria will be approved by the ICO and delivered by accredited certification bodies.
  • Certification will be issued to data controllers and data processors in relation to specific processing activities.
  • Signing up to a certification scheme is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider working towards it as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.

Summer of 2019 is expected to be the final publication of certification and accreditation guidelines which will be submitted to EDPB for opinion. Autumn 2019 is when additional requirements will be finalised and published. Although all timelines are dependent on EDPB timelines which are subject to change.