GDPR Certification – will it be worth it?

The Information Commissioner’s Office (ICO) has announced that it will be supporting GDPR certification for data controllers and processors although the ICO itself has “no plans to accredit certification bodies or carry out certification at this time”. Rather the ICO will approve certification schemes that will be undertaken by third party assessors.

In the UK, the national accreditation body, UKAS will be responsible for accrediting certification bodies and maintaining a public register. The European Data Protection Board (EDPB) will be responsible for the collation of a register of all accredited certification schemes across EU member states.

While currently any certification will be voluntary, it may be worth working towards certification even at this early stage as there will likely be several benefits:

1) Certification will help to demonstrate compliance with GDPR – both to the regulator and to clients and prospects. Particularly for those organisations who provide services that involve processing personal data on behalf of clients, some kind of GDPR certification will be a clear competitive advantage.

2) Certification should help to raise standards and encourage best practice for data protection.

3) GDPR certification will inevitably be a consideration when government contracts are being awarded. Private sector organisations are also likely to look favourably on GDPR certification when looking at their supply chains.

4) The ICO says that “certification will be considered as a mitigating factor when the ICO is considering imposing a fine”. Depending on the size of your organisation and likelihood of a data breach, any costs involved in achieving GDPR certification may be considered pretty good value.

5) If certification is made mandatory in the future for certain types of data processing, certified organisations will be at a distinct competitive advantage over those who have not gone down the GDPR certification route.

While it’s early days for GDPR certification, it’s clear that data protection and data privacy are moving up the agenda for organisations of all sizes and increasing public awareness means that reputational damage from data breaches and other misuse of personal data may well be more costly than the substantial financial penalties that are now available to regulators.

GDPR certification in itself isn’t a solution for data protection issues, but it shows a commitment to data privacy and adherance to minimum standards for storing and processing personal data. Given the ICO’s guidance that certification schemes should reflect the needs of micro, small and medium sized enterprises, this is a good opportunity for smaller companies to gain competitive advantage over their larger rivals.

If you have just made a decent job of meeting your obligations for GDPR compliance, now is probably the best time to start your journey towards certification. Much of the work will already have been done and the certification process will help you identify and improve any areas of weakness.

If you have been struggling to meet the deadline and there are still tasks to be completed, perhaps the prospect of certification will provide the framework and target you need to get fully compliant!

If you want to talk to a data protection expert about your options for GDPR and other security certifications, complete the form opposite to book a no-obligation call.



ICO GDPR certification guidance

EU – Draft Guidelines on the accreditation of certification bodies

EU – General Data Protection Regulation




Certification can help you demonstrate compliance, but does not reduce your data protection responsibilities. Whilst certification will be considered as a mitigating factor when the ICO is considering imposing a fine, non- compliance with a certification scheme can also be a reason for issuing a fine. Information Commissioner's Office

Talk to me...