momius - stock.adobe.com
The UK Information Commissioner’s Office (ICO) has announced it is “welcoming enquiries” from organisations that are considering developing a General Data Protection Regulation (GDPR) certification scheme.
The announcement comes alongside updated ICO guidance on certification under the GDPR, as the European Data Protection Board (EDPB) completes a round of consultations with a view to adopting a full set of guidelines and annexes on certification, identifying certification criteria and the accreditation of certification bodies.
EU Member States and supervisory authorities such as the ICO, along with the EDPB and the European Commission, are required by the regulation to encourage the use of certification mechanisms as a means to enhance transparency and compliance with the GDPR.
The GDPR says that certification is also a means to demonstrate data protection by design and by default and that appropriate technical and organisational measures are in place to ensure data security.
Certification may also support transfers of personal data to third countries or international organisations. The EDPB is drafting guidelines on certification as an appropriate safeguard for international transfers of personal data.
Certification is therefore a voluntary method for an organisation to demonstrate compliance with GDPR, in line with the accountability principle.
The ICO says certification is a practical way for data controllers and processors to demonstrate data protection to other businesses, individuals and regulators, and to give customers a means to quickly assess the level of data protection of a particular product or service, which provides transparency both for individuals and in business-to-business relationships.
Certification in the UK
The ICO plans to publish accreditation requirements for certification bodies to meet. Certification bodies will be accredited by UK Accreditation Service (UKAS), which will maintain a public register.
The ICO will approve and publish certification scheme criteria which will be derived from GDPR principles and rules, but notes that certification scheme criteria must specify objectives and how they can be achieved so as to demonstrate compliance and must be interoperable with other standards, such as those set by the International Organisation for Standardisation.
Data controllers and processors can then apply for certification for their processing operations and services.
Read more about GDPR
- Lawyer Elle Todd looks at what can be learned from the first year of the GDPR’s implementation that can help organisations deliver benefits from the regulation.
- The ICO is calling on data protection officials to help kick off the next phase of the GDPR by embedding sound data governance.
- The ICO has launched the first phase of an initiative aimed at enhancing data protection while supporting business innovation.
Accredited certification bodies, using independent assessors, can assess eligibility and issue certification against those criteria.
Once an organisation has been successfully assessed, it will be issued with a data protection certificate, seal or mark relevant to that scheme.
Certification will be valid for a maximum of three years, subject to periodic reviews, the ICO said, adding that certifications can be withdrawn if the organisation no longer meets the certification criteria.
Across EU Member States, the EDPB will collate all EU certification schemes in a public register. There is also scope for a European Data Protection Seal where scheme criteria are approved by the EDPB for use in all Member States.
Scope of a certification scheme
According to the ICO, the scope of a certification scheme could be general or specific, for example, secure storage and protection of personal data contained in a digital vault.
Certification can therefore relate to a specific personal data processing operation or set of operations. Those processing operations will be assessed against the certification scheme criteria by the accredited certification body.
Certification will be issued only to data controllers and data processors, and therefore cannot be used to certify individuals, such as data protection officers (DPOs).
Article 42(2) of the GDPR also allows for the use of certification schemes to demonstrate the existence of appropriate safeguards provided by controllers or processors that are not subject to GDPR for international transfers of personal data.
Once certification bodies have been accredited to issue GDPR certificates, this information will be published on the ICO’s and UKAS’s websites. Final publication of certification and accreditation guidelines and annexes is expected in the coming months.
Once the EDPB accreditation requirements are finalised, the ICO will submit its own additional requirements to EDPB for its opinion. Following final approval of the certification annex, the ICO can start accepting certification schemes for approval.
“The ICO is promoting certification schemes as a way for organisations to gain a competitive advantage by enabling businesses or individuals to distinguish which processing activities, operations and services meet GDPR data protection requirements and they can ‘trust’ with their personal data,” said Rohan Massey, co-global head of privacy and cyber security at global law firm Ropes & Gray.
“The ICO suggests that, when contracting work to third parties and to help meet its due diligence requirements under the GDPR, an organisation may wish to consider whether they hold a GDPR certificate for their processing operations.
“The ICO nevertheless forewarns organisations that while certification can help demonstrate compliance, it does not reduce their data protection responsibilities,” he said. “Whilst certification will be considered as a mitigating factor when the ICO is considering imposing a fine, non-compliance with a certification scheme could also be a reason for issuing a fine.”