Certification and Codes of Practices are strongly encouraged as part of the original EU GDPR, mentioned throughout the text but especially at Articles 24, 25, 28, 32, 35, 46 and in detail in Articles 40-43. The Supervisory body has duties and powers (including to encourage their adoption) in Articles 57 and 58, and the European Data Protection Board (EDPB) in articles 64 and 70.

Since the UK GDPR came into effect following Brexit, UK controllers and processors have continued to adapt to a regime that mirrors the principles of the EU GDPR, with the DPA 2018 and PECR 2003. However, this framework is now beginning to diverge with the Data (Use and Access) Act provisions, which will see controllers and processors operating under domestic oversight by the “soon to be” Information Commission (IC).