A leading solicitor has spoken of his concerns that the government has not yet accredited any GDPR certification bodies, just two weeks before the EU regulation comes into force.
James Pressley, corporate and commercial solicitor at Kirwans law firm, said businesses needed confirmation that their efforts had rendered them GDPR compliant – yet there is still no official certification process in place.
The delay means that thousands of firms have been left in the dark as to whether they could face millions of pounds worth of fines for non-compliance.
The General Data Protection Regulation (GDPR), due to come into force on May 25, is one of the biggest changes in the UK’s data protection history, and will standardise data protection legislation across EU states to ensure all consumers are covered to the same level.
Easily recognisable certification seals or marks are expected to be introduced, which, once awarded, would reassure consumers that their data was being properly dealt with by a government-certified business.
James explained: “According to articles 42 and 43 of the GDPR, the EU encourages its member states to establish their own non-compulsory certification schemes. In the UK’s case, the Information Commissioner’s Office (ICO) is responsible for both establishing ‘data protection certification mechanisms and data protection seals and marks’, and for the ‘accreditation of certification bodies’.
“The general expectation was that, by now, these ‘certification mechanisms’ and ‘certification bodies’ would have been in place, both so that the ICO had a checklist of GDPR compliant businesses that they didn’t have to waste taxpayers’ money investigating, and so that firms could be assured that they had done enough to avoid huge penalties.
“However, with just two weeks to go before the changes are implemented, there is a growing fear out there by businesses that, despite their best efforts to introduce a comprehensive GDPR compliance structure, they may have overlooked something which could land them in hot water.”
In addition, said James, the inability to obtain a certifying mark or seal is frustrating the majority of businesses who pride themselves on providing outstanding service to their customers.
“Consumers are increasingly conscious of how their data is being used and a GDPR mark or seal could one day become as well known as the padlock symbol used to denote secure websites,” he said. “However, without an official mark or seal, GDPR compliant firms are unable to reassure their customers.”
The EU has advised that the certification would be issued by accredited certification bodies for three years, at which point it could be renewed under the same conditions, as long as the requirements were still met.
Yet plans to accredit certification bodies have not yet been published by the ICO, leading to many businesses turning to unaccredited GDPR advisors to guide them through the process.
James said: “The government’s statement of intent on a new Data Protection Bill made it clear that the provisions of the GDPR will remain effective in the UK even after Brexit, so it’s important that a recognised accreditation process is put in place as soon as possible.
“The ICO has put a helpline in place for SMEs and charities, but that is no substitute for the detailed analysis that would be needed to receive the accreditation that would assure businesses and their customers of their compliance.
“Firms are keen to get it right – they just need the tools to help them confirm that they’re doing so.”