GDPR includes a provision for certification schemes to be approved by in our case, the Information Commissioner’s Office. A certification scheme would involve testing data protection compliance against a standard, probably involving audit, and certifying that an organisation meets the standard, similar to British and International Standards.

There was an announcement in December 2019 that the ICO will work with the UK Accreditation Scheme to set up approved certification schemes for the UK. It was announced a long time ago that the ICO preferred to work with a third party to manage the accreditation process, the idea being that service providers would achieve a status of accreditation provider/checker and deliver services to organisations seeking certification.

Circumstances in which it might be desirable to obtain certification would include:
• Giving assurance to service users, partners and employees that data protection standards are being met
• Providing a competitive advantage, particular where a lot of client/customer data is processed
• Giving assurance to board members and other stakeholders that data protection law is being observed
• To help establish the credibility of the organisation.

Further details on how the accreditation scheme will work were published by the ICO on 28 February 2020. In case you missed it, the link is here

Mandy Webster, Data Protection Consultant