Do you know the Information Commissioner’s Office (ICO) is launching a new GDPR “Certification” scheme?
- An organisation will now be able to show it’s customers that it take data protection seriously.
- An organisation will be able to use Certification as a method to exhibit its compliance with GDPR.
- The ICO will soon be approving the criteria of the certification scheme and also tackle other general issues.
- Once an authorised certification body has evaluated and approved an organisation, it will issue the data protection certificate, seal or mark relevant to that scheme.
As per initial guidance the certification is voluntary but it is not the first time when a UK’s regulator started any certification, report or recordkeeping voluntary and later made it compulsory.
Reason for Certification
Certification indicates that your processing of personal data complies with all the conditions of GDPR. It also helps organisations and regulators to know the practical ways of data protection. It makes it easier for your customers to assess the level of data protection of your product service, which provides transparency both for data subjects and in business to business relationships.
Let’s find out what GDPR says about Certification and what it means.
- It illustrates compliance by default and design and with the provisions on data protection. (Article 25(3))
- It explains the adequacy of you measures both technical and organisational to assure data security (Article 32(3))
- It also means to support the transmission of personal data to the third organisation. (Article 46(2))
Who is responsible for Certification?
Member states, supervisory authorities, the European Data Protection Board (EDPB) and the Commission will motivate the use of data protection certification mechanisms as a medium to increase the transparency and compliance with the GDPR.
In the UK the certification framework will involve:
- Publishing official requirements for certification bodies to meet.
- The national authorised body of United Kingdom, UKAS, accrediting certification bodies and maintaining a public register.
- Approving and publishing certification scheme criteria.
- Official certification figures issuing Certification against those criteria.
- The framework will also involve Controllers and processors applying for Certification and using it to demonstrate compliance.
What can be certified?
The certification scheme’s scope can either be general or specified. It is related to a set of personal data processing operations. Later, an accredited Certification Body will estimate the processing operation opposite to certification criteria scheme. It cannot be issued to individuals (data protection officers) but to data controllers and Processors.
Article 42(2) expounds more about the use of a certification scheme to demonstrate the existence of appropriate protection taken from controllers or processors who aren’t subject to GDPR for the transmission of personal data internationally.
The certification scheme criteria
There are a plethora of aspects which certification scheme criteria incorporate. For example,
- The lawfulness of the processing. (Art 6)
- Principles of data processing. (Art 5)
- Data subjects’ rights. (Art 12-23)
- Obligation to notify data breaches. (Art 33)
- The responsibility of DP by design and default. (Art 25)
- Technical and organisational measures put in place. (Art 32)
- Formulated in a way that they are distinct and allow practical application.
- Auditable and relevant to the target audience.
- Scalable for use to different size or type of organisations.
Once the accredited certification body evaluates your enterprise, you will receive a data protection certificate, seal or mark relevant to that scheme.
Importance of Certification of processing
The GDPR certificate is a voluntary, but it is not the first time when a regulator started any certification, report or recordkeeping voluntary and later made it compulsory. Moreover, if you find an approved certification scheme, which is sufficient for your processing activity and you consider it that will reflect your compliance with the GDPR.
What are the practical implications?
- Being a controller/processor, you can take Certification for your processing operations, and services.
- Certification is valid for three years, subject to periodic reviews. These independent reviews serve with an assurance that the Certification can be trusted.
- Your customers can view your Certification in a public register of certificates issued by certification bodies.
- Certification aids you to manifest compliance but does not abate your data protection liabilities.
- When working with third parties, you may consider whether or not they contain a GDPR certificate for their processing operations, as part of meeting your due diligence requirements under the GDPR.
Seers is working closely with ICO and making necessary suggestions to make businesses and data protection professional life easy.