This is an old revision of the document!
On occasion, we are asked whether Esferico can provide a GDPR Certificate for our products.
GDPR Certificates were agreed to be promoted by the various GDPR enforcement agencies around the EU, the agency responsible in the UK being the ICO, as it had been with the standard Data Protection Act. This promotion was generally intended to 'raise the bar' of GDPR compliance.
At this time, Esferico ltd. have chosen not to seek a GDPR Certificate - the simple reason being that no product or service provided by Esferico ltd. is covered by the GDPR Certificate scheme.
Read on to learn why.
There is a list of valid reasons why, in the long term, all companies providing data processing services may wish to gain a GDPR Certificate - despite the fact that GDPR organisations around Europe are intended to promote the system, participation is voluntary which in many ways immediately reduces the effectiveness of the system.
At this current time however, the following paragraph from the ICO documentation is probably the most applicable in this case:
Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.
(emphasis added)
While GDPR enforcement organisations around Europe are intended to promote the GDPR Certificate scheme, the reality is that certificates are neither audited by, enforced by or even issued by the ICO.
Instead, 3rd party companies and consultancies identify an area of interest to themselves, put together a compliance framework for that type of industry or product, and them submit that framework to the ICO for authorisation.
Once the framework is authorised, the 3rd party company or consultancy is able to charge a fee for the assessment of companies and - if they comply with the conditions of the framework - issue them with a GDPR Compliance Certificate. The Certificate is issued by the 3rd party company, and not the ICO. The framework in question is owned by the 3rd party.
The ICO has been slow to roll out the scheme. They finally started to take action in March 2020 and in April 2021, they released a list of currently ICO authorised schemes.
As at time of writing, this scheme still only has 3 authorised schemes and none of them apply to either the industry or products provided by Esferico ltd.
Further information on the GDPR Certificate scheme can be found at the ICO Certification webpage.
Note that at a future time when a suitable certification scheme is in place, is balanced and we believe is correct for the industry in which Esferico ltd. provides products, a GDPR Certificate will be sought.