ICO’s certification scheme now nearer to being deployed

The ICO announced on 20 December the appointment of the UK Accreditation Service (UKAS) to deliver ICO-approved certification schemes.

The arrangement is that the ICO will approve and publish the certification schemes and UKAS will accredit certification bodies which will assess whether organisations are fulfilling the set criteria (PL&B UK Report September 2018 pp.14-15).

This work has been undertaken within the framework of the European Data Protection Board (EDPB) which at its meeting on 2 December adopted its opinion on the ICO’s draft decision on the Accreditation Requirements for Codes of Conduct monitoring bodies. The EDPB’s opinion aims to ensure consistency across the European Economic Area and the correct application of these requirements by EEA Supervisory Authorities. In the opinion, the EDPB proposed some changes to the ICO’s draft accreditation requirements, for example, on independence, conflict of interest, expertise, corrective measures, and transparent complaint handling.

Ian Hulme, Director for Regulatory Assurance, ICO, stated “Certification is voluntary, and therefore a very valuable means of gaining and demonstrating GDPR compliance.” Matt Gantley, Chief Executive, UKAS, stated: “We look forward to continuing our successful partnership with the ICO as new GDPR schemes are developed and to welcome expressions of interest from organisations wishing to become accredited certification bodies.”

PL&B will continue to monitor the ICO’s certification programme and has put several questions to the ICO to which companies interested in gaining certification will want to know the answers, for example:

  1. When will UKAS start accrediting certification bodies?
  2. What will be the stages of the accreditation process?
  3. How long does the ICO expect the application and accreditation process to take?
  4. What will be the ICO’s continuing oversight and policy roles?
  5. Regarding the scope of a certification process, and appreciating that the certification process will be a learning curve for all parties, what will be the first types of certification schemes to be published by the ICO and when?

If you have questions which you would like PL&B to put to the ICO and/or UKAS on an anonymous basis, please send them by 7 January to info@privacylaws.com.