Privacy & Information Security Law Blog

On August 19, 2021, the UK Information Commissioner’s Office (“ICO”) approved the criteria for three certification schemes, as required under Article 42(5) of the UK General Data Protection Regulation (“UK GDPR”). Certification schemes are one method for organizations to demonstrate compliance with the UK GDPR.

The ICO has approved criteria for the following schemes:

• ADISA ICT Asset Recovery Certification 8.0: This certification standard was developed for data processors or sub-processors providing data sanitization services to ensure personal data has been permanently removed from IT equipment (e.g., computer hard drives or photocopiers) that will be re-used or destroyed.
• Age Check Certification Scheme (“ACCS”): The ACCS scheme is designed to verify that age assurance and products work correctly to enable organizations to estimate or verify an individual’s age (e.g., for access to age restricted products or services).
• Age Appropriate Design Certification Scheme (“AADCS”): The AADCS scheme addresses children’s online privacy and provides criteria for the age-appropriate design of information society services in accordance with the ICO’s Age Appropriate Design Code (the “Code”). This certification scheme likely will benefit organizations that are subject to the Code, which has a compliance deadline of September 2, 2021.

Following the ICO’s approval, the United Kingdom Accreditation Service (“UKAS”) accredited certification bodies that can now issue certifications against the approved criteria. The Age Check Certification Scheme Ltd has been approved as the UKAS-accredited certification body for the ACCs and AADCS. There currently is no UKAS-accredited certification body for the ADISA certification.