GDPR certification: What is it, and do you need it?

A close-up shot of a businessperson writing on a certificate with a fountain pen.

For many businesses, preparing for the General Data Protection Regulation (GDPR) was a difficult process. Rigid new regulations around data protection meant that businesses had a whole new set of responsibilities, which were harder for some to adopt than others.

Though it has been years since the GDPR was rolled out, many UK businesses still seek compliance with the understanding that it’s a meticulous process. The Information Commissioner's Office (ICO) accepts this fact.

Nevertheless, businesses continue to be approached by companies that claim expertise on GDPR as well as wider data protection and privacy. Some market their services, courses, or certifications as offering customers full GDPR compliance.

Taking them up on the offer may have seemed tempting, if not the right thing to do, considering the concerns about potentially huge fines for falling short. We must stress, however, that GDPR compliance isn’t something that you can purchase or fully outsource, and there’s no one quick fix to ensuring you won’t find yourself on the wrong side of the law.

While it’s perfectly reasonable, and indeed very wise, to seek external advice, there is no silver bullet to GDPR compliance. The ICO has previously said that it’s working on generating an index of approved schemes or accreditation bodies.

Work has picked up in this area, but for many use cases there remain no ‘easy outs’ for becoming GDPR compliant.

Bodies approved in this manner can issue organizations with certification to prove they are GDPR compliant. This lasts for three years before organizations need to seek renewal.

Of course, the ICO may audit organisations' compliance, and certainly will in the case of a breach, so it pays to be able to demonstrate that you abide by the legislation. So the question becomes, how can you do this?

GDPR compliance vs certification

While some firms may pressure businesses into feeling that compliance and certification go hand-in-hand, it's not that simple. Being compliant and showing that off on an official level is not the same thing.

How can you demonstrate GDPR compliance?

Corporate and commercial solicitor at Kirwans law firm, James Pressley, tells IT Pro there are a few different forms of proof organizations can offer the ICO. These must all demonstrate:

  • Internal policies and procedures that comply with the GDPR's requirements
  • The implementation of the policies and processes into the organization's activities
  • Effective internal compliance measures
  • External controls

"All of these would not only need to be documented (for example, policies) but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance," Pressley explains.

Data controllers — the body that decides the purposes for data processing and the ways in which it will be processed — must also demonstrate that they have come up with a GDPR compliant data protection program, structure for governance, as well as privacy controls.

The entity responsible for processing data on the data controller’s behalf is the data processor, often a third party as they cannot be an employee of the data controller. The data controller is obligated to ensure that the data processor remains compliant with the law.

How does the ICO measure GDPR compliance?

Alongside other EU member state data protection authorities, the ICO considers whether your organization is compliant with the aforementioned criteria. It can be a good idea to have legal assistance when it comes to GDPR, as it comprises many measures that have to be followed exactly.

"The GDPR is holistic: you have to comply with all aspects of the GDPR," says Dai Davis, data protection lawyer at Percy Crow Davis & Co law firm.

While there may be some debate as to whether a data protection policy is adequate, Pressley adds: "Past experience would suggest that the ICO requires full compliance with legislation and is unlikely to accept poor documentation or implementation."

Both lawyers make the point that when it comes to audits, firms suffering security breaches will be the ICO's first port of call.

"In practice [the ICO measures compliance] by (a) becoming aware of organizations suffering from public breaches and (b) auditing organizations - especially those falling into the former category," Davis says.

Are any GDPR certification schemes worth it?

This may vary by company, but as laid out above demonstrating compliance can be a lot more complex than a course or a certificate. However, depending on your needs there are a few certification schemes that have an official ICO stamp of approval.

The ICO has given the United Kingdom Accreditation Service (UKAS) the go-ahead for just four sets of criteria for UK GDPR certification schemes:

  • ADISA ICT Asset Recovery Certification 8.0, which provides data processors with a standard for data sanitization on IT hardware for safe disposal or recycling.
  • Age Appropriate Design Certification Scheme (AADCS), provides criteria for appropriate information society services centred on the ICO Children’s Code.
  • Age Check Certification Scheme (ACCS), which introduces checks for age verification within products and services.
  • Provision of Training and Qualifications Services, which aims to improve the confidence of training companies, give data subjects the ability to make informed choices around training companies and ensure that personal data is processed by these companies correctly.

“All four of these certification schemes are hugely positive developments for organizations to be a part of,” said Emily Keaney, deputy commissioner at the ICO.

“Not only do they offer certainty to businesses to get things right, but they also provide a binding framework for organizations to sign up to, ensuring they raise the bar when it comes to data protection.

“In an era where trust and accountability are paramount, these schemes are a way of reassuring your customers, clients, and suppliers that you hold additional expertise in a given area, are committed to building data privacy into your work, and adhere to strong standards.”

Other schemes that claim to exist will say their certification is valid for GDPR, but in fact, they're often based on the National Cyber Security Centre's Cyber Secure standard, Pressley says. That means organizations who undertake their courses may still be found non-compliant by the ICO.

Davis adds that existing schemes using the GDPR legislation as their basis may have some value.

"The more any organization does to comply the better. Obtaining any form of external certification implies that [an] external organization is going to check where the target organization is not doing enough, thus enabling the target organization to become more compliant."

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.