The ICO has approved the first UK GDPR certification scheme criteria. Certification is a provision under Article 42 UK GDPR. It is based on data protection law and international standards for certification of products, services and processes and has been developed in partnership with UKAS, the United Kingdom’s national accreditation body.

Certification was introduced under the UK GDPR with the aim of helping organisations demonstrate compliance with data protection rules and, in turn to inspire trust and confidence in the people who use their products, processes and services.

It works by providing a framework for organisations to follow, which offers clients and customers assurance that they are adhering to strong standards. Organisations with expertise in a particular area can develop scheme criteria.

The ICO has approved the criteria for three schemes, which will now be rolled out:

• ADISA, experts in IT asset disposal services, have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed.
• Age Check Certification Scheme (ACCS) have developed criteria for two schemes, the first relating to age assurance and the second looking at children’s online privacy.

According to the ICO, organisations that achieve the standards set out in the certification schemes can create a competitive advantage and demonstrate that they have the highest level of commitment to data protection compliance to their customers, partners and investors.

The ICO has produced guidance on certification.