ICO Approves First UK GDPR Certification Schemes
On 19 August 2021, the Information Commissioner’s Office (the ICO) announced its approval of the first UK GDPR certification scheme criteria. As with other certification schemes, an ICO scheme works by providing a framework for organisations to elect to follow regarding a specific area or topic and if the organisation achieves the standards set out in the framework, they will be considered “certified”.
Whilst being certified is of course beneficial for an organisation from a legal perspective as it shows a commitment to data protection compliance, being certified also very often creates a competitive advantage for the organisation as it demonstrates a high level of compliance in the area which may be attractive to a customer or partner whereas a competitor may not have achieved the same standard. For example, it is common now when onboarding new service providers that an organisation will expect the service provider to have achieved certain information security certifications or at least working towards such certification.
The initial three schemes approved are:
- ADISA ICT Asset Recovery Certification: intended to ensure personal data is being handled appropriately when IT equipment is re-used or destroyed.
- Age Check Certification Scheme: tests that age assurance products work correctly (i.e. products which estimate or verify the age of a person).
- Age Appropriate Design Certification Scheme: looks at children’s privacy online and provides criteria for the age appropriate design of information society services, which are based on the ICO’s Children’s Code.
It is rather unsurprising that these were the first three schemes announced given their nature and scope. As for most data protection regulators, security of personal data is always a high priority and it is likely we will see many more security focused schemes approved by the ICO in the near future. Further, protecting the personal data of children online is a very high priority of the ICO which is demonstrated by the Children’s Code. For organisations which are subject to the Code, compliance is required from 2 September 2021. Given this date is fast approaching and the fact that many organisations are not entirely clear how the Children’s Code principles translate into technical and practical actions, it is likely the Age Appropriate Design Certification Scheme will receive some fairly significant traction over the next few months.
The ICO has stated it is keen to discuss the development of other certifications schemes with experts. This is therefore likely just the start of us seeing the ICO approve certification schemes that organisations can leverage, both from a compliance and commercial perspective.