Skip to main content

How do we develop a certification scheme?

Contents

In brief

What are certification schemes?

Certification schemes consist of three key elements:

  • The criteria outlining specific data protection requirements. These form the ‘standard’ against which the conformity of a product or service is assessed.  
  • The audit and testing methods that are used by the certification body to carry out that assessment.
  • The scheme manual – setting the rules for management and operation of the scheme

UK GDPR certification is different from many data protection certification products currently available. The focus is less on information governance arrangements and management systems, and more an in-depth assessment of how personal data is actually processed. The certification covers the processing relating to a specific product, process or service offered by a controller or processor rather than the whole organisation. For example, a bank may apply to have its online banking certified as being compliant with an appropriate scheme’s criteria.

For personal data, ‘processing’ means any operation(s), which is performed on personal data or on sets of personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

For UK GDPR certification, we are only required to assess the criteria outlining specific data protection requirements. Depending on the role of your organisation in relation to the scheme, you may need to develop only the criteria or a complete scheme. 

UKAS are the UK’s National Accreditation Body, appointed by government. They are responsible for the accreditation of certification bodies who are intending to deliver UK GDPR certification schemes. They also assess scheme requirements, including certification criteria, to ensure they are suitable for accreditation purposes. The scheme owner will incur costs for this assessment

If you are also intending to be the certification body for the scheme this will be assessed as part of the accreditation process.

You should contact UKAS directly for further information on the process and the costs involved for scheme assessment and accreditation. 

The Guide to UK GDPR certification page contains links to EDPB guidelines on certification and accreditation. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, our requirements were based on these guidelines so they may still provide helpful guidance when developing certification criteria.

What can a UK GDPR scheme be about?

A key consideration in determining what a UK GDPR certification scheme can be about (the scope) is how it will benefit your target market and the individuals who use the product or services being certified. The scheme should explain how the UK GDPR can be practically applied to a specific processing activity. It should also allow data subjects to easily assess the level of data protection of the products, processes and services offered by controllers and processors.

The scope of a scheme can be specific or more general. A specific scheme might only be aimed at a particular sector for a specific type of product or service, for example online banking portals, and the criteria will only relate to the processing of personal data related to such portals.

A general scheme aims to cover all aspects of UK GDPR and can be applied to any processing activity. However, it will still need to be granular enough to provide robust and meaningful certification.

You could consider having a general scheme (covering all aspects of UK GDPR) but with limited application, for example only applying to third party payroll services.

Alternatively, the scope of the scheme could be focused on only one area of the UK GDPR, for example, transparency or automated decision making.
To help you decide you should consider:

  • any general/sectoral/industry data processing issues you might want to address through your scheme. You should carry out research and consultation within your proposed target market to ensure that your scheme meets a need and will have market viability;
  • where is there a need for enhanced trust;
  • how the processing impacts data subjects and how the proposed criteria or scheme would help them;
  • how the certification documentation (including any certification mark) ensures that people can easily and immediately understand what is being certified and what that means for them;
  • what schemes are already available; and
  • the name of the scheme – does it accurately reflect the scope, and will people understand it?

Why does the ICO consider market demand?

We consider market demand because data protection schemes need a clear purpose and must offer benefits and enhanced protections to the people whose information is being used.

The Office for Product Safety and Standards (OPSS) guidance on conformity assessment (eg certification) and accreditation states that:

“Conformity assessment schemes should be driven by market demand including demand from end-users and consumers…conformity assessment should be a free-market, competitive activity”.

We want to ensure that the scheme criteria we approve cover a wide range of different processing activities. We want to cover areas which could benefit from certification due to clearly identified market, legislative or consumer demand.

To ensure the certification scheme is a viable proposition, we assess whether there is evidence of market, consumer or regulatory demand or support for the scheme. Where the proposed scheme is similar in scope to existing ICO approved and published scheme criteria, we look for evidence of ‘added value’.

This approach also supports subsequent scheme take-up by organisations, and is the most effective use of our resources to assess and approve scheme criteria

How should we consider market demand?

You should consider and be able to demonstrate the market, consumer or legislative demand for your certification scheme. You should also think about the benefits for people, data controllers and processors.

Your considerations could include, but are not limited to:

  • Evidence of demand or market support from potential end-users and consumers

This could include a consultation or engagement with identified scheme end-users, ie potential certified organisations, the public, industry bodies, consumer representative bodies or certification bodies.

  • Awareness of existing UK GDPR certification schemes

Evidence of benchmarking your scheme against existing schemes. In particular, if similar scheme criteria are already approved and published on the ICO website, you should demonstrate the ‘added value’ or unique demand that your scheme criteria meets.

  • Market and industry knowledge

Evidence of relevant economic, social, technological, legal, regulatory or other factors which may drive the demand for your certification scheme’s development.

  • Business case considerations

Considerations of commercial viability. This could include financial planning projections or an implementation or delivery strategy for the proposed scheme.

  • Regulatory priorities and prevention of harm

How the criteria support or are based on existing regulatory priorities, data protection guidance, ICO codes of practice, government priorities or any other public or consumer interest issues. These should be appropriate to data protection and, in particular, preventing harm to the public.

What can be certified?

UK GDPR certification can only be applied to processing activities relating to a specific product, process or service offered by an organisation. Therefore, when developing scheme criteria, you should consider what possible processing activities might be covered under the scope of the scheme and how this might shape the scheme criteria.

You may consider excluding certain types of processing from the scope depending on the nature of the scheme. For example, if the scheme is called “Health Privacy Mark”, any processing that is not health data would be out of scope and this should be stated in the scheme documentation.

The criteria should require organisations to explain where the processing that is subject to evaluation starts and ends, so that the intended audience, including individuals, understand what exactly is being certified and what that certification means. This is referred to as the ‘object of certification’ or ‘target of evaluation’.

What are the requirements for UK GDPR certification criteria?

Certification criteria must provide common, specific and practical applications of UK GDPR principles and rules. To provide adequate assurance, the criteria must provide a standard for best practice in data protection – not merely restate the UK GDPR.

Criteria must relate to and be directed at the processing activities that you intend to be certified. Criteria for an information management system may make up part of the scheme but cannot be the sole focus of it, therefore you might include a section that covers information governance requirements.

The document outlining the criteria must contain, as a minimum, the following sections:

  1. Introduction covering the background and motivation for the scheme, including how the criteria will improve data protection compliance and benefit data subjects.
  2. Scope of certification mechanism.
  3. Target of evaluation (ToE) – describing how to define the processing activities to be certified.
  4. Normative references.
  5. Terms & Definitions.
  6. Criteria addressing:

(a) lawfulness of processing (Art 6-10)

(b) principles of data processing (Art 5)

(c) general obligations of controllers and processors (Chapter IV)

(d) data subjects’ rights (Art 12-23)

(e) obligation to notify data breaches (Art 33-34)

(f) obligation of DP by design and default (Art 25)

(g) assessment of risks to rights and freedoms of individuals including completion of DPIA where required (Art35(7)(d))

(h) technical and organisational measures guaranteeing protection in line with above

(i) technical and organisational measures to ensure appropriate level of security (Art 32)

(j) other privacy enhancing techniques;

(k) international transfers (Art 44-49); and

(l) requirements for effective information governance, including: leadership and oversight; policies and procedures; training and awareness; records of processing; assessing privacy risks and DPIAs; internal audit and continual improvement. 

You should include an explanation for each criterion (where necessary), implementation guidance and examples of how to demonstrate compliance. How compliance is tested will be considered fully as part of the accreditation process for certification bodies and the certification process for controllers and processors.

Certification scheme criteria must be:

  • auditable (ie specify clearly defined, measurable objectives);
  • relevant to the processing and target audience;
  • inter-operable with other standards, for example ISO standards; and
  • scalable for application to different size or type of processing/organisations.

Do we need to describe the evaluation methods?

If you are a certification body (or seeking accreditation as one) developing a complete certification scheme rather than just the criteria, then you also need to develop a separate document outlining the methods for evaluation and testing conformity against the certification criteria.

The nature of the evaluation should consider the scope of the scheme and the potential processing activities it may be applied to, as this will have an impact on the significance and value of the certification. For example, reducing the extent of evaluation for practical purposes or to reduce costs, will reduce the significance of the certification.

If you have only developed the criteria or standard, you may still need to provide guidance for certification bodies who will carry out conformity assessment activities against those criteria. This guidance may outline specific requirements (where they exist) taking into account the potential target of evaluation. For example, it may include requirements for audit and testing methodology, and expertise of certification body personnel carrying out the assessment. This helps ensure consistency where there are multiple certification bodies. 

In both cases you will also need to document the rules for the operation and management of the scheme.

Does the scheme include the use of a certification mark?

If the scheme includes a certification mark or logo that can be used by the controller or processor to signify successful completion of the certification procedure, then you need to demonstrate that you have protected those marks and laid down rules for their use.

The design of the mark or logo should help the public understand the meaning of the certification where possible. For example, a ‘Health Privacy Mark’ would indicate to the public that the certification is about enhanced privacy of their health information.

How should we test our scheme?

The UKAS assessment requires scheme owners to demonstrate that the scheme has successfully completed a testing period, demonstrating it is fit for purpose and delivers the intended results. You should test your scheme with several volunteer organisations.

If you are not proposing to deliver the scheme yourself, you may want to contact prospective certification bodies who can help you test your scheme.

Where there are multiple certification bodies involved in delivery of the scheme, UKAS may need to run a pilot to ensure the scheme delivers consistent results.

How can the ICO help?

Developing a certification scheme is a complex process, so we welcome informal discussions with interested parties to ensure schemes are developed in line with the relevant guidelines and requirements.

There are two stages to the application process – the proposal stage and the scheme development stage. We will provide additional guidance and support at each stage. 

The proposal stage requires you to outline what your proposed scheme is about, who and what it will apply to and how it will benefit people, as well as demonstrating market demand. 

If we accept your proposal, the scheme development stage follows. This involves developing scheme documentation, including the data protection requirements that processing must comply with. These will be submitted to us for assessment

You can contact us at [email protected].

How will the ICO assess the scheme proposal and criteria?

We will assess the Scheme Proposal against the following requirements:

  1. he application includes details of the scheme owner(s), details of any partnerships, their legal status, and details/accreditation status of any CBs involved.
  2. Scheme owner(s) meet the eligibility requirements outlined in the proposal applicant guidance.
  3. None of the parties involved in scheme delivery are subject to any relevant ICO investigation or regulatory action.
  4. The scheme operating model is clear and is in line with UKAS rules and the relevant conformity assessment standards.
  5. The scheme’s subject matter and intended target market is clear.
  6. The scope is clearly defined – outlining what types of organisations and processing activities are in/out of scope (including territorial scope).
  7. Consideration has been given to how information is used in the processing activities in the scope of the scheme.
  8. It is clear whether special category/criminal offence data or high risk processing is involved.
  9. The correct areas of UK GDPR have been applied/disapplied in line with the proposed scope.
  10. It is clear how the scheme will benefit the target market and the individuals who use the product or services being certified.
  11. Documented research and/or consultation has been undertaken that supports the scheme.
  12. There is evidence that the scheme owner has (or has access to) the requisite knowledge and experience of the subject matter, UK data protection law and accredited certification framework.
If we accept your proposal, we will then ask you to develop and submit your draft certification criteria outlining the data protection requirements for your scheme. We will assess these to look at how effectively the criteria practically apply UK GDPR.
We will assess the scheme documentation and certification scheme criteria against the following requirements:
  1. Scheme documents are well structured with numbered clauses and are written in a clear and understandable way.
  2. All relevant terms are defined, and normative references identified.
  3. The scope for which the data protection criteria shall be used is clearly described, not misleading and reflects all relevant aspects of the processing operations.
  4. The scheme requires a clearly defined target of evaluation (what is being certified), justifying any exclusions.
  5. The criteria cover all applicable aspects of UK GDPR, and clearly and precisely describe auditable requirements which are written in terms of measurable outcomes.
  6. The criteria accurately reflect UK data protection law and ICO guidance, including applicable statutory codes of practice (eg data sharing code).
  7. The criteria include requirements for effective data protection governance and accountability in line with the ICO’s accountability framework.
  8. The criteria fully and adequately reflect all aspects of the scope and the lifecycle of the processing in order to provide sufficient guarantees of compliance and meaningful, robust certification.
  9. The criteria document contains supporting guidance notes (where necessary), providing implementation guidance and contextual information, which allows users to understand and implement the criteria.
  10. The criteria adequately reflect the scale and risk of the processing in scope.
    1. The criteria are flexible and scalable for application to different types and sizes of organisations including micro, small and medium sized enterprises, where applicable.
    2. The scheme documents are compatible with the accreditation requirements set out in ISO 17065 and the UK Additional Accreditation Requirements for certification bodies.
    3. The criteria are likely to improve data protection compliance of controllers and/or processors and benefit data subjects in respect of their information rights.
Once any required changes are made and the criteria meet the full requirements enabling controllers and processors to demonstrate compliance with the UK GDPR, then we can grant approval.
UKAS also assess the proposed scheme criteria to ensure that they are suitable for accreditation (ie the UK GDPR certification criteria in the scheme are fit for purpose, measurable, deliver the right outcomes and have been established in consultation with relevant stakeholders). You should contact UKAS directly for further information on the assessment and the costs involved.
Once we have established that our assessment requirements are met, UKAS will conduct their assessment.

How will people know our criteria have been approved?

Once the criteria are finalised the details are published on our website.

Please note it is a requirement for scheme criteria to be made publicly available.

How do certification schemes work as an international transfer tool?

We recognise that the use of certification schemes as an international transfer tool are a new mechanism and we are committed to supporting their development. If you want to speak to us about establishing a certification scheme for the transfer of personal data to a third country or international organisation please contact us at [email protected].