The ICO exists to empower you through information.

In brief

What do we need to know before applying to become a certification body?

  • You will go through the UKAS accreditation process where you are evaluated against the standards outlined in ISO 17065 and the UK additional accreditation requirements.

  • In order to be eligible for accreditation your organisation needs to be a formal legal entity that can be held legally responsible for its certification activities.
  • Your organisation must be located in the UK.
  • To ensure impartiality there must be no relevant connection between the certification body and the applicant. For example, you cannot provide consultancy services and certification to the same organisation.
  • Your organisation should be able to demonstrate that your certification process complies with the UK GDPR and the DPA18 certification process. You must also confirm to UKAS that you are not the subject of any ICO investigation or regulatory action that means you may not meet this requirement.
  • Accreditation can take from 6-18 months depending on the nature of your organisation and the complexity of the certification scheme you want to deliver.
  • UKAS charge a fee for accreditation. There is more information about the accreditation process and potential costs on the UKAS website.

How do we apply to become a certification body?

  • Once you know what certification scheme you want to deliver you apply directly to UKAS for accreditation.
  • Accreditation includes an assessment of how you plan to audit and test organisations against the certification criteria.

What is a certification body’s relationship with the ICO?

  • UKAS provide the ICO with details of applications it receives as well as accreditations they issue, refuse or withdraw.
  • They also provide us with a summary of complaints and appeals they receive.
  • UKAS are required to notify the ICO of any non-conformity of the certification body that has the potential to lead to suspension or withdrawal of accreditation or could result in an infringement of the UK GDPR or damage to the integrity of UK GDPR certification.
  • Certification bodies are required to inform the ICO about all applications they receive at the application stage and their reasons for granting/withdrawing certification.

How will people know about our accreditation?

UKAS publish details of accredited certification bodies on their website, and we will link to their list of accredited organisations from our website.

What information will be published?

As a certification body you are required to create a directory of certified clients containing information required by ISO 17065 and the ICO additional accreditation requirements. This is a publicly accessible record of certifications issued and on what basis. It includes information about the certification mechanism, how long the certifications are valid for and under which framework and conditions.

Further information

EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

You can find out more about the requirements for accreditation of certification bodies in the EDPB accreditation guidelines. The UK additional accreditation requirements are based on Annex 1 of these guidelines.