What is certification under a certification scheme approved by the ICO?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
What is certification under a certification scheme approved by the ICO?
The UK GDPR endorses the use of approved certification mechanisms to demonstrate compliance with its requirements.
You can make a restricted transfer under a certification scheme if:
- the certification scheme permits organisations located outside the UK to be certified; and
- the receiver located outside the UK has a certification under a scheme we have approved.
The certification scheme must include safeguards to protect the rights of people the transferred information is about alongside binding and enforceable commitments by the receiver to apply those safeguards.
Before you rely on the approved certification scheme as a safeguard, you must complete a TRA to make sure the standard of protection for people’s information is not materially lower after you transfer it.
There are currently no approved UK certification schemes for restricted transfers. We plan to publish dedicated guidance on using certification schemes for restricted transfers in 2026.
Further reading – ICO guidance