When GDPR was enshrined into UK law in May 2018, businesses were inundated with offers of "guaranteed GDPR compliance" from pop-up experts claiming to know how to avoid the 4% of turnover fines which were allegedly heading everyone's way. The reality was the provision of GDPR compliance policy bundles which, to this day, still sit careful encased in the glass cubicle marked 'Break glass. If ICO, knock on door'.

Of course, I am being facetious, but for many businesses the burden of GDPR compliance has been a painful cross to bear, while for others the general confusion led to pointless expenditure on well meaning, but ultimately fruitless, compliance projects. And so, the elephant in the room must be addressed - was GDPR all hot air or, three years on, are we sat on a ticking timebomb?

The answer to this will vary, depending on to whom you are talking

For many in the channel, GDPR has provided a point of reference to highlight a feature or benefit from a product being sold and so has enhanced their own value proposition. For others who offered 'GDPR silver bullet products or services', their embellishment of the capabilities of those products has seen their credibility eroded by buyers who were sold the dream, but ended up with very little.

In the legal field, the consensus from those I have spoken to is that GDPR has most definitely had an impact, but many are still frustrated at the distance between those who understand GDPR and those at the operational coalface. This leads to frequent unconscious non-compliance, which could easily be avoided. The response from data controllers varies as well. There are those who have viewed GDPR as a project to start when they are told to, whereas, for others, the fear of brand damage and threat to the balance sheet has motivated them to act now. How effective those actions are is an entirely different story!

Of course, Brexit threw in a further spanner, but with the release of the unofficial-looking 'Keeling Schedule', it is clear GDPR, whether UK or EU, is still very much part of the regulatory landscape. If we also consider the UK Data Protection Act 2018 and the National Data Strategy, it is hardly surprising that, three years on, businesses are suffering from data protection fatigue, leaving many to park it in the 'too hard' part of their to-do-lists.

There is some good news, however, emanating from the Information Commissioner's Office that can really help businesses. In August 2021, ADISA was delighted to be part of the first group of companies to have a standard formally approved by the ICO as a UK GDPR Certification Scheme.

WHAT IS A UK GDPR CERTIFICATION SCHEME?
In short, Certification Schemes are confirmed as meeting UK GDPR requirements, as determined by the ICO itself. The premise is that, by pre-approving the scheme, the ICO is taking away the burden that businesses have of trying to work out what a compliant position looks like within a specific business process.

This sounds simple enough, but when we consider that the law calls for both the controller and processor to take "appropriate technical and organisational measures", we run into a problem: who determines what is appropriate? Certification schemes help answer that question, as the ICO has determined what their view of appropriate is within each scheme that they assess.

'TAKING AWAY THE BURDEN OF COMPLIANCE WITH FIVE SIMPLE QUESTIONS'
I am, of course, going to be biased when I say that Certification Schemes can really help businesses who are looking to build UK GDPR compliance into a specific process, as this approval has pre-verified what compliance looks like. This two-year process has not been without challenges. During discussions with the ICO, we needed to find a way of empowering the data controller to influence the treatment of 31 identified operational risks to ensure the response was 'appropriate' for each specific data controller.

Other than getting the controller involved in the transaction in minute detail, how could we achieve this? The answer was to create a five-step process called the Data Impact Assurance Level (DIAL).

Outlined in an article that appeared in Computing Security November 2021, this new concept is crucial for empowering the data controller to influence risk treatments to ensure that they are commensurate to their own business environment. By undertaking the DIAL assessment and using an ADISA certified company when disposing of retired assets, data controllers create a clear, defensible position in the eyes of the law.

A leading data protection and cyber security lawyer stated at the recent ADISA conference: "When assessing data breaches, we as a legal team look at factors surrounding the incident which may have led to the breach, and which could have been mitigated.

This last point provides clear opportunity for blame to be apportioned, unless the mitigation is proportionate to the business under investigation. Where certification schemes prove useful is that by complying with them the data controller is already proven as meeting the expectation of the regulator who has pre-approved the processes being evaluated. This is of huge legal significance, as it provides a clear defensible position which would be very difficult to overturn."

THE REAL QUESTION IS: WHY WOULDN'T YOU USE A CERTIFIED SCHEME?
Approved certification schemes are perhaps the clearest way in which the ICO can provide guidance on what it expects businesses to do within a specific data protection process.

Our Asset Recovery Standard 8.0 is not easy for industry to comply with, and provides a real challenge for those companies who offer asset recovery and media sanitisaton services. However, this is a challenge many are willing to take, in order to help their customers comply with UK GDPR. With 54 companies working towards certification, which will take place when our own UKAS certification is achieved in May 2022, this is one sector determined to help lift the burden of GDPR compliance for their customers.

As Anulka Claire, Acting Director of Regulatory Assurance of the ICO, points out: "This new concept is a significant step forward in enabling organisations to demonstrate their commitment to compliance with UK data protection law."

So, with the ICO approval of ADISA Standard 8.0, organisations that are disposing of redundant IT assets can benefit by avoiding having to fully understand the law and determine what is viewed as appropriate. All they are required to do is use an ADISA-certified company, and rest assured that the ICO, UKAS and ADISA have worked to ensure the process is confirmed as being UK GDPR compliant.