A Borough Council was required by its auditors to improve the Data Processing Agreements with its suppliers. The security company chose UK GDPR Certification as a way of demonstrating it kept its systems up to date and secure and had processes in place to manage access.
A telecoms provider had no way to prove its entire organisation, network, stack and supply chain were free from Huawei infrastructure so that it could meet the UK Governments stipulation to be Huawei free by December 2023.
Reviewing the data flows showed the entire supply chain was UK GDPR compliant. It was proven there was no access available by Chinese entities.
A domiciliary provider wishes to demonstrate its robust management of patient details to the (CQC) Care Quality Commission.
This included the management of physical records surrounding their accuracy and availability along with electronic records and data transfers to other care providers which included local authorities. This also sped up patient transfers.
An online retailer faced large increases to its insurance premiums because it struggled to prove its compliance.
The retailer also faced the possibility of being uninsured as the process of obtaining insurance was protracted.
Certification showed the retailer was an insurable risk and the production of the certificate proved sufficient to speed up the process.
A large restaurant chain placed allergens on its risk register, citing reputational damage as a severe consequence.
It wished to demonstrate to its customers, staff, insurers and shareholders that it took allergens very seriously.
Allergen information was kept secure, accurate and regularly reviewed.
A pension trust needed to show its stakeholders it had robust systems in place to manage the increasing number of cyber attacks and the management of pension holder information. The Trustees were obligated under the new Code of Conduct to seek expert advice and saw UK GDPR Certification as a way of demonstrating this requirement.
This simple answer is no, not yet. To be able to issue certificates we must first be authorised to do so by the ICO and we are nearing being awarded this accolade.
The process of becoming a Certification Body is a two stage process that takes between 18 months to 24 months to complete. We are in the latter stages of the process and expect to be able to offer a full range of certification services in April 2023.
Our certification scheme wording has been evaluated by the ICO to ensure our scheme meets the strict criteria set out by the ICO and aligns to its goals and objectives.
Full details of the role of the ICO in the certification process can be found here:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/certification-schemes-detailed-guidance/
The second stage of the approval process reviews our auditing standards and approach. UKAS (Untied Kingdom Accreditation Service) will review our auditing methodology against ISO/IEC 17065:2012 (Conformity assessment — Requirements for bodies certifying products, processes and services). Our auditing methodology is built to ISO/IEC Directives, Part 1 Annex SL which dovetails into ISO/IEC 17065:2012.
Full details of the role of UKAS in the certification process can be found here:
https://www.ukas.com/accreditation/about/developing-new-programmes/development-programmes/uk-gdpr/
Whilst we cannot issue certification at this point in time, we are accepting "registers of interest" from organisations that wish to become certified and we would like to speak to organisations as part of our consultation.
With certification services are expected to be available from April 2023, we would encourage organisations that are looking for early adoption to start to make preparations so that they are ready to submit an application when the application process opens.
As a Certification Body we can choose to appoint other third party organisations to undertake certification related activities on our behalf. A common activity would be auditing organisations applying for certification using our methodology and certification scheme wording.
Whilst auditors could audit any data processing activity, we envisage specialisms forming where auditors with practical experience gained from working in certain sectors would audit those sectors. Having a first hand knowledge of terminology, typical functions and an understanding would mean the data subjects, the audit process, the auditor and the audited organisation would benefit from having an understanding built up from any time spent in the sector.
Adherence to a UK GDPR Certification Scheme is not compulsory and it should be remembered that compliance with UK GDPR and the Data Protection Act 2018 is mandated for any organisation meeting the requirements set out by the ICO.
UK GDPR Certification is optional and it is intended to be particularly suited to organisations that would derive a benefit from having its products, services or processes certified.
Certification is also intended to be a practical way for an organisations to easily demonstrate compliance with UK GDPR to individuals, businesses and the supervisory authority.
The general public are increasingly becoming increasingly cautious about who they pass their data to and this is true of all demographics. Certification is a way to provide the assurances that individuals seek and encourage engagement. This could be a commercial benefit a see increased sales or trust gain in a public service provided by a public body such as the COVID app.
Businesses are also increasing the level of due diligence they undertake when forming business relationships or when reviewing existing suppliers. Certification can eliminate the friction that the due diligence process creates in working relationships. This friction can sometimes heavily disrupt or even derail working relationships and so certification is intended to simplify and expedite this stage.
Demonstrating UK GDPR compliance for the purpose of obtaining cyber insurance is also a consideration for many organisations and their insurers. Certification mitigates many of the insured risks and this is something insurers welcome.
In the event of a data breach, being able to demonstrate compliance to a UK GDPR approved scheme will be considered as a mitigating factor by the ICO. The ICO has published a draft paper where it explains how it adopts a mitigation factor and aggravating factor approach when considering regulatory actions and penalties.
Certification lasts for 12 months from the date of issue and is based on ISO 17065:2012 and therefore follows the ISO methodology of a Full Audit in Year 1 with Surveillance Audits in Years 2 and 3, with a Full Audit in Year 4 and then surveillance audits in years 5 and 6 and so on for the as long as certification is required.
As a certification body we must ensure we provide the necessary information you will need to make decisions and cannot be seen to provide recommendations or influence your decision making. In doing so, we would be auditing our own views, opinions and methods.
We will provide:
- Public registers of Certified Processes, Authorised Third Party Organisations and a Register of Suspended, Expired and Revoked Certificates.
- Feedback regarding the suitability of any proposed certified process will be provided prior to the Full Audit commencing. This stage ensures the certified process is auditable, highlights potential first and third party costs, considers timescales and other necessary resources required to satisfy the auditing criteria.
- A list of auditors will be provided for the applicant to select from. We do not influence the applicant's selection of an auditor and all auditors have equal standing. Considerations such as geographic location, expertise, cost and availability should form the decision making.
- Information that could affect the risks to personal data will be available in various forms such as email newsletters, articles and press releases. This could be related to new and emerging threats or changes to legislation and how the risks affect the certified process is for the applicant or certificate holder to determine.
- An independent panel to hear complaints from the public and review the circumstances before making an decisions concerning dismissing claims, stipulating actions to be taken, suspensions, revocations or restorations relating to certified processes.
The Certification process is priced according to the complexity and size of the Target of Evaluation/Scope. As the Target of Evaluation is typically narrow, so the cost can be relatively small. It should be remembered that we are not auditing the whole organisation, just a particular product, service or process. A number of detailed examples are provided in the pricing section of this website. We can provide you with a quotation on receiving a completed a Target of Evaluation form.
The initial certification lasts for 12 months from the date of issue and will need to be renewed annually thereafter. Certification is based on an ISO 17065:2012 framework and follows the ISO methodology of a Full Audit in Year 1 with Surveillance Audits in Years 2 and 3, with a Full Audit in Year 4 and then Surveillance Audits in years 5 and 6, and so on for as long as certification is required.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Integer feugiat scelerisque varius morbi enim. Eget nunc scelerisque viverra mauris.
We review the controls that are in place and also balance the quantities and types of data being transferred. We need to see IDTA's, SCC's, along with Data Processing Agreements and where necessary insurance are in place.
The answer is yes and this is how the GDPC was designed.
Some insurers offer reduced premiums where our Certification Scheme is in place. Certification reduces the likelihood of incidents and should an incident occur, reduces the severity of any impact which positively affect risks in the eyes of the insurer and means the Certified Process is an insurable risk.