The Information Commissioner’s Office has updated its guidance regarding certification schemes under GDPR.
Section 5 of the GDPR sets out approaches towards codes of conduct and certification, with Article 42 specifically addressing certification. Simply put the regulation suggests the implementation of data protection certification schemes to provide a way for data controllers and processors to demonstrate their compliance. It also allows “data subjects” to recognise organisations that apply appropriate levels of data protection compliance (by looking for a certification badge).
There currently are no approved certification schemes available, but once the EDPB (European Data Protection Board) have finished their current consultation on accreditation and certification guidelines, the ICO plan on submitting the UK’s own requirements to the EDPB for comment. The EDPB’s guidelines are due in the Summer with the likelihood of a UK scheme in place around autumn, although everything is dependent on how the EDPB get on with finalising their guidelines and approving the ICO’s approach.
The ICO though are calling for contact from any organisations currently developing or have developed a GDPR related certification scheme.
More detailed guidance is available for Hub subscribers, here.