Skip to content

How Does My Company Obtain an ICO Certificate in the UK?

Table of Contents

If your business handles sensitive information, you should obtain certification. All information you handle must comply with the GDPR (General Data Protection Regulation) and the Data Protection Act. Certification demonstrates to the public that your company is taking accountability and complying with data protection rules. These rules are policed and enforced by the Information Commissioner’s Office (ICO). The ICO provides guidance, investigates alleged breaches, and issues fines against businesses violating data protection rules. Additionally, the ICO website can lead you to an ICO certificate provider. This article will explain the nature and purpose of an ICO certificate and how it can help your business demonstrate compliance with data protection rules.

ICO Aims

The ICO has several goals concerning UK data protection law, which include:

  • providing detailed guidance on data protection principles and obligations on their website; 
  • ensuring companies respond accurately and swiftly to subject access requests;
  • encouraging businesses to handle personal data safely and securely;
  • providing a system for companies to report serious data breaches within 72 hours; and
  • issuing fines to organisations that commit personal data breaches and fail to follow good practices when processing personal data.

What is an ICO Certificate?

The ICO approves certification schemes operated by third parties. You must ensure the certification body you choose is approved. The ICO website includes a list of approved schemes.

At present, there are three types of ICO certificates, which cover:

  • asset recovery;
  • age checks; and
  • age-appropriate design.

Each type of ICO certificate scheme will have specific criteria and a financial cost. In addition, they will contain detailed requirements to ensure that companies with those certificates can demonstrate high levels of data protection compliance. The ICO will likely add more schemes to the list in the future.

If your business meets the certification scheme criteria, it can discuss the specific logo or mark of that scheme on its website and advertising materials. This demonstrates that your company handles personal information securely and in line with the GDPR requirements. Accordingly, these certificates may also be known as ‘UK GDPR certification’.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Example

Let us say that your business sells kitchenware items. Some of those kitchenware items will include knives, blades and sharp utensils. It may benefit your business to obtain an ICO certificate for the age check certification scheme (ACCS) to demonstrate that your age assurance system works.

This scheme will set out various tests to ensure that your age check system is thorough, accurate and in line with GDPR requirements. Overall, the certificate demonstrates that your business has done all it reasonably can to ensure the system is legal and works well.

Furthermore, by obtaining this certification, your organisation shows that it takes the social issues of knife crime and complying with age requirements on restricted items seriously. Therefore, your business can promote the fact it has this ICO certification on its website and within its written materials.

Other Benefits of ICO Certification

The ICO confirms on their website that having certification can demonstrate a mitigating factor within any future ICO investigation. Thus your company can argue that obtaining and paying for ICO certification demonstrates that it takes all reasonable steps to comply with data protection rules.

This is useful because the ICO can issue fines to organisations that breach data protection laws. The maximum fine is £17.5m (or 4% of annual global turnover). Therefore, having evidence that can potentially reduce such fines is in your company’s interest.

Key Takeaways

The ICO acts as the referee for data protection purposes in the UK and applies penalties for the public interest. Therefore, the ICO will determine the punishment if your organisation breaches data protection rules. Having an ICO certificate helps your company demonstrate that it carries out good data practice and gives it a better chance of defending ICO investigations into alleged data protection breaches. It can also help your image with potential customers by giving them confidence that you will handle sensitive information well.

If you need help with data protection requirements and obtaining ICO certification, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Why are there only a few ICO certification schemes?

There are only a few schemes as it is a relatively new ICO initiative. However, the ICO state that they plan to develop and recognise different certification schemes in 2022 and beyond.

Do ICO Certificates replace ISO standards?

No, these are separate schemes that complement (but do not overlap) each other. Thus, a different body runs ISO standards with different compliance rules.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards