The Articles: No. 42 Certification

GDPR Certification, what is it and do I need it?

The GDPR (General Data Protection Regulation) is already UK law. As with any law, abiding by it is not a choice it is mandatory. If, as a business you fall within scope of the GDPR due to the data you process then you must comply.

Article 42 States:

“The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”

What does this mean?

The ICO as the supervisory body for the UK is working on a GDPR Certification, and according to their website is going to publish guidelines in 2017.

So, if you and or your business is working on the principle of “I will get around to GDPR at some point”, don’t forget that the 25th May 2018 is the deadline for compliance you should be working towards.

Even if you do nothing until certification comes in and are happy to run a compliance risk, your competitors and data subjects will be less likely to trust you if you aren’t certified.

*** Certification demonstrates a level of maturity and due care with respect to data privacy ***

If your competitors have it and your business doesn’t – who would you trust?

Will my business need to be certified?

Your business will not NEED to be certified, however it will be strongly encouraged, and looked upon favourably by the ICO, and your business partners and data subjects.

“Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.”

Why encourage certification if we have to comply by law?

The GDPR as with any law can be open to interpretation, also the specific requirements for complying with GDPR are not necessarily self-evident from the regulation itself.

A certification mechanism is likely to be far more prescriptive and therefore provide an easier route to follow. However, the downside is that areas of the regulation like Security of Processing – Article 32, will expand from a paragraph into something closer to PCI DSS or ISO 27001.

In our opinion, the certification scheme ‘might’ cover the following areas: –

  • Existence and quality/content of documents policies and procedures
  • Following procedures to be evidenced and proven
  • Audit trails of agreements and consents from data subjects
  • Data processing statement
  • ICO Registration
  • Data accuracy
  • Data retention and deletion – right to be forgotten
  • IT Security controls
    • Encryption
    • Data loss prevention
  • Physical security
  • Contractual obligations
  • Staff awareness
  • Data asset inventory

This list is just our opinion and is in no way intended to be exhaustive.

How do I do all that as a small business?

Certification, if it follows ISO27001 and or PCI DSS type format could be quite lengthy and potentially costly, and as with the other types of certification has the potential to be overly punitive on small business.

The GDPR has at least considered this and the needs of smaller businesses ought to be taken care of.

“The specific needs of micro, small and medium sized enterprises must be taken into account.”


  • Certification is coming.
  • It will provide a yardstick by which data privacy can be measured
  • It will be very obvious who cares about protecting data and who doesn’t

Why wait until you are playing catch up with your competitors, start acting on the GDPR now and be an advocate for data privacy.

If you would like to know more about how GDPR Auditing can help your organisation with GDPR or have any suggestions of future posts for this series please email us at or email the author

© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.