3 minute read
3.4 Certification Schemes
○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Advertisement
Q3.3.8. Are there any mechanisms that could be supported that would benefit UK organisations if they were recognised by the Secretary of State? ○ Yes ○ No ○ Don’t know
Please explain your answer, and provide supporting evidence where possible.
3.4 Certification Schemes
Explanatory box: What are certification schemes?
Certification schemes are voluntary, market-driven frameworks of context-specific rules that, under the UK GDPR, can be used to demonstrate a high standard of compliance and to provide appropriate safeguards for international transfers.
Certifications are characteristically framed at the sectoral or industry level, defining data protection rules and practices covering specific products, processes and services within the context of that sector, industry or similar group. Private bodies can develop criteria for certification schemes to the standards set in legislation and by the ICO. The criteria is submitted for assessment and prospective certification bodies are accredited by the UK Accreditation Service.
Once accredited, the certification body will assess prospective businesses to see if they meet the requirements to join the scheme. Certification schemes are complex measures that require significant time and resources to design, implement and maintain, and they demonstrate accountability and represent the highest standards of data protection.
266. The government is considering modifications to the framework for certification schemes
to provide for a more globally interoperable market-driven system that better supports the
use of certifications as an alternative transfer mechanism. The UK GDPR’s accountability principle is central to certification. It is the requirement for organisations to take responsibility for what they do with personal data and how they comply with the UK GDPR.82 Other jurisdictions take different approaches to defining how standards of accountability should be demonstrated. Their approaches can also require high standards of data protection, but present those
requirements in different ways. However, if the accountability requirements for other countries are not compatible with the UK’s then they will not be interoperable with the UK certifications system, precluding their use.
267. To facilitate compatibility with a wider range of personal data protection regimes, the
government proposes to allow certification to be provided for by different approaches to
accountability. The proposal would increase the potential of using certifications as a transfer mechanism by allowing more flexibility on how organisations demonstrate their accountability standards. For example these could be based on privacy management programmes. Privacy management programmes are risk-based organisational commitments, frameworks and controls that ensure a high standard of data protection as a matter of corporate responsibility. Section 2.2 in Chapter 2 provides more detail on privacy management programmes. The government will ensure the approach on accountability remains coherent across its use domestically and internationally. That approach is fundamental to the accountability frameworks of Singapore, Canada and Australia, for example.
268. To bolster their use internationally, the government is considering provisions that clarify
that prospective certification bodies outside of the UK can be accredited to run UK-
approved international transfer schemes. The government would encourage existing international schemes to engage with UK standards and bodies in other countries to develop UKcompliant schemes to support friction-free data flows with UK businesses.
The government welcomes views on the following questions:
Q3.4.1. To what extent do you agree with the approach the government is considering to allow certifications to be provided by different approaches to accountability, including privacy management programmes? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q3.4.2. To what extent do you agree that allowing accreditation for non-UK bodies will provide advantages to UK-based organisations? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q3.4.3. Do you see allowing accreditation for non-UK bodies as being potentially beneficial for you or your organisation? ○ Strongly agree
