SCHEME OPERATION
CERTIFICATION BODY OBLIGATIONS
​
Certification Bodies must be UKAS accredited - More information here https://www.ukas.com/accreditation/about/how-to-get-ukas-accreditation/
​
In addition the Certification Body must be licenced by the Scheme Owner 2twenty4 Consulting.
​
Once a licence agreement has been signed the Certification Body will be provided with a Scheme Operating Manual that details the scheme's obligations and requirements.
​
​SCHEME REVIEWS
Emergency Review.
During the operation of the scheme there may be challenges, changes, or complaints which result in a need to change the scheme without undue delay.
​
The Scheme Owner reacts to this information in a prompt manner and after due consideration should it be felt a change is required will liaise with the Scheme Approver on the matter.
​
SO will also liaise with Certification Bodies to consider the impact on any change before a change is made.
All changes will be cascaded out to all CBs with change management guidance issues by the SO.
​
Annual Assessment.
The SO will meet with the CBs annually to discuss the following:
-
Is the scheme fulfilling its objectives
-
Any outstanding issues
-
Any known forthcoming legislation changes
-
Any known forthcoming guidance changes
-
Any proposed CB pricing changes
-
Any proposed version upgrades
Effectiveness
-
Is the scheme successful?
-
What is the level of application?
-
What is the completion rate from Application to Certification?
Accuracy
-
Have there been any issues with controls?
-
Has any element of the standard been challenged?
-
Is the standard still meeting UK GDPR compliance requirements?
Compliance
-
Is the CB maintaining audit standards?
-
Is the CB maintaining requirements laid out in the Scheme Operation Manual.
​​
Three-Year Review.
Every three years the scheme will be formally reviewed via the creation of a scheme review committee. The SO will publish the review and will invite stakeholders to volunteer to participate in the scheme review. Representatives of certified companies and certification bodies will also be invited to ensure the scheme review has broad representation.
​
The output from the three-year review will be an update to the Standard which will then be issued to the ICO alongside supporting change documents for assessment and approval.
​
Validation Audit
The Scheme Owner will carry out an annual desktop audit of each Certification Body.
​
The desktop audit will check:
-
UKAS accreditation of each CB for LOCS:23 by checking website.
-
Evidence of resource management to support LOCS:23 certification.
-
Request evidence of feedback from Scheme Applicants.
​
COMPLAINTS AND APPEALS PROCESS
​
Given the different roles of the scheme participants there are different complaints and appeals processes.
Complaints and Appeals to the Scheme approver (ICO)
Examples of where the Scheme Applicant can appeal to the Scheme Approver:
-
they believe the scheme does not meet the objective of UK GDPR compliance certification
Contact - certification@ico.org.uk
Complaints and Appeals to the Scheme Owner (2twenty4)
Examples of where the Scheme Applicant can appeal to the Scheme Owner (2twenty4):
​
-
the scheme is out of date resulting in missing legislation requirements
-
the scheme has incorrect legislation requirements.
-
Other parts of the scheme documentation are incorrect
Complaints and Appeals to the Certification Body
Examples of where the Scheme Applicant can appeal to the Certification Body:
-
The auditor was not impartial throughout.
-
The auditor did not display knowledge of the industry / standard.
-
The facility suffered an exceptional issue and so were not operating as business as usual
-
the Certification Mark is being used inappropriately
​
For ADISA contact - https://adisa.global/contact-us-2/
Each CB will publish their own complaints and appeals process.
​
​
​