On occasion, we are asked whether Esferico can provide a GDPR Certificate for our products.
What is GDPR Certification?
GDPR Certification was a process which the ICO started to implement some time ago, but with a very slow rate of progress. It is the aim of GDPR and UK GDPR bodies to promote the certification system.
As of March 2020, ICO finally implemented a GDPR Certification system in which companies and organisations can provide documentation to a 'scheme' which matches the use of data in a product or the organisation in general and have it assessed.
Some of the reasons for becoming 'certified' rely on the possibility of 'commercial advantage' (i.e. as an organisation we should become certified, while our competitors are not), and to show compliance with GDPR principles.
Are we part of the scheme?
No. Esferico chose not to be part of the GDPR Certification scheme at this time.
This does not however, in any way reduce our statutory compliance with the GDPR and other UK Data protection Legislation.
Why are we not part of the scheme?
The most important reason that we are not part of the certification process is simply that there is no scheme that covers Pergamon, Mystic or any other product produced by Esferico ltd.
As stated in the ICO documentation:
Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.
(emphasis added)
As it currently stands however, we additionally feel that the GDPR Certification process provides neither an advantage to ourselves, nor to our clients. All GDPR compliance is available via other documentation, and simply represents a cost to a private company (not the ICO) which must be passed on by those who voluntarily certify against a 3rd part framework (again, not created by the ICO).
Further information about certification:
- The GDPR Certification scheme is totally voluntary, and is not part of the required GDPR or Data Protection legislation responsibilities of data processors.
- The certification process is administered by 3rd party companies who approach the ICO with a framework (which they own) of an assessment against which companies can be assessed (for a fee). They are then able to provide consultancy services and even software products for the assessment of your organisation against the framework. While these schemes are 'authorised' by the ICO, they are not official assessments - they effectively equate to an individual receiving a certificate from a private training session (as long of course, as the organisation passes).
- At this time, there is no official auditing system in place to confirm compliance with the GDPR.
- While the ICO can (and do) audit companies retrospectively for adherence to the GDPR (e.g. after a breach), this is a totally separate and official aspect of the ICO - the documentation that needs to be provided for an audit is essentially the same as that for a certification.
- A list of authorised schemes was finally made available from April 2021 (see ICO Certification Schemes) and is therefore still very much in its infancy. At of the time of writing, only three such official schemes are listed as being approved by the ICO, and none of which are applicable to the products provided by Esferico ltd.
- Certification is an expensive process, and must be balanced against the information that is recorded within any individual product. Such costs would therefore also need to be passed on to clients. Esferico applications store a very small number of fields which are categorised as protected data (most is not personal in nature, and most is deemed as being in the public domain) and most is not useful for identification. Wider protected characteristics, addresses and contact information are typically not stored within these systems.
Further information on the certification system can be found at the ICO Certification web page.
Last edited: May 2021.