ICO Releases New UK GDPR Certification Scheme

Information Commissioner Office (“ICO”) releases new certification scheme which targets training and qualification service providers. The certificate scheme aims to enable candidates wishing to apply for training programs to make informed choices with the assurance that their personal data will be processed in accordance with the UK GDPR.

This certification scheme is the fourth of the certificate programs published by the ICO. There are three other certification programs, one offering the safe reuse and disposal of IT assets, while the other two provide a standard in areas such as age assurance and children's online privacy.

“In an era where trust and accountability are paramount, these schemes are a way of reassuring your customers, clients and suppliers that you hold additional expertise in a given area, are committed to building data privacy into your work and adhere to strong standards,” says Emily Keany, deputy commissioner for the ICO.

ICO has certification schemes to help organizations demonstrate compliance with the GDPR. The certification framework involves; (i) publishing of accreditation requirements for certification bodies to meet, (ii) the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register, (iii) approval and publishing of certification criteria, (iv) accredited certification bodies issuing certification against those criteria, (v) controllers and processors applying for certification and using it to demonstrate compliance, and (vi) the ICO maintaining a public register of approved certification schemes. The UK GDPR states that certification is also a means to; demonstrate compliance with the provisions on data protection by design and by default (Article 25(3)), demonstrate that the organisation has appropriate technical and organisational measures to ensure data security (Article 32(3)); and to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).

The schemes aim to provide assurance to individuals, customers, and partners that their personal data is being handled lawfully and in line with the general principles. At the same time as ICO states UK GDPR certification scheme criteria set requirements for best practice in a particular area. Therefore, achieving certification and meeting these requirements may reduce the risk of non-compliance and the risk of corrective action.

In order to obtain certification, organizations need to undergo an assessment by an accredited certification body that verifies their compliance. The certification body will review the organization's policies, procedures and data protection practices to determine whether they meet the requirements. Afterwards, once an organization has successfully completed the assessment and demonstrated compliance, they will be certified.

Overall, the ICO's GDPR certification scheme is a useful tool for organizations that want to demonstrate their compliance and show their commitment to protecting personal data.

Tagged with: Kavlak Law Firm, Ayşe Aybüke Çilingir, Özge Keskin, Data Protection, Data Privacy