pergamonmystic:linkedhelp:gdprcertificate
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
pergamonmystic:linkedhelp:gdprcertificate [2021/10/14 07:44] admin created |
pergamonmystic:linkedhelp:gdprcertificate [2024/02/06 11:05] (current) admin |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Mystic Help ====== | ||
| + | ===== Data Protection Registration ===== | ||
| + | Esferico ltd. is registered with the ICO as a data processor. | ||
| - | On occasion, we are asked whether Esferico can provide a GDPR Certificate for our products. | + | A copy of our registration certification can be obtained from the ICO website here: [[https://ico.org.uk/ESDWebPages/Entry/ZA899221|Esferico ltd. ICO Registration Certificate]] |
| - | What is GDPR Certification? | + | Note that this registration renews on a yearly basis. |
| - | GDPR Certification was a process which the ICO started to implement some time ago, but with a very slow rate of progress. It is the aim of GDPR and UK GDPR bodies to promote the certification system. | + | |
| - | As of March 2020, ICO finally implemented a GDPR Certification system in which companies and organisations can provide documentation to a 'scheme' which matches the use of data in a product or the organisation in general and have it assessed. | + | ===== GDPR Framework Certificate ===== |
| - | Some of the reasons for becoming 'certified' rely on the possibility of 'commercial advantage' (i.e. as an organisation we should become certified, while our competitors are not), and to show compliance with GDPR principles. | + | On occasion, we are asked whether Esferico can provide a GDPR Framework Certificate for our products. |
| - | Are we part of the scheme? | + | GDPR Framework Certificates were agreed to be promoted by the various GDPR enforcement agencies around the EU, the agency responsible in the UK being the [[https://ico.org.uk|ICO]], as it had been with the standard Data Protection Act. This promotion was generally intended to 'raise the bar' of GDPR compliance. |
| - | No. Esferico chose not to be part of the GDPR Certification scheme at this time. | + | |
| - | This does not however, in any way reduce our statutory compliance with the GDPR and other UK Data protection Legislation. | + | **At this time**, Esferico ltd. have chosen **not** to seek a GDPR Certificate - the simple reason being that **no product or service provided by Esferico ltd. is covered by a GDPR Certificate scheme**. |
| - | Why are we not part of the scheme? | + | We are unable to obtain a certificate therefore, as there is no certificate to obtain. |
| - | The most important reason that we are not part of the certification process is simply that there is no scheme that covers Pergamon, Mystic or any other product produced by Esferico ltd. | + | |
| - | As stated in the ICO documentation: | + | Read on to learn why, but in many ways this process has been superseded by the general data protection registration requirement (see top). |
| - | Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships. | + | ---- |
| - | (emphasis added) | + | ==== Who should apply for Certification? ==== |
| - | As it currently stands however, we additionally feel that the GDPR Certification process provides neither an advantage to ourselves, nor to our clients. All GDPR compliance is available via other documentation, and simply represents a cost to a private company (not the ICO) which must be passed on by those who voluntarily certify against a 3rd part framework (again, not created by the ICO). | + | There is a list of valid reasons why - in the long term, all companies providing data processing services may wish to gain a GDPR Certificate - despite the fact that GDPR organisations around Europe are intended to promote the system, participation is **voluntary** which in many ways immediately reduces the effectiveness of the system. |
| - | Further information about certification: | + | At this current time however, the following paragraph from the ICO documentation is probably the most applicable in this case: |
| - | The GDPR Certification scheme is totally voluntary, and is not part of the required GDPR or Data Protection legislation responsibilities of data processors. | + | ''Applying for certification is voluntary. However, __**if** there is an approved certification scheme that covers your processing activity__, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.'' |
| - | The certification process is administered by 3rd party companies who approach the ICO with a framework (which they own) of an assessment against which companies can be assessed (for a fee). They are then able to provide consultancy services and even software products for the assessment of your organisation against the framework. While these schemes are 'authorised' by the ICO, they are not official assessments - they effectively equate to an individual receiving a certificate from a private training session (as long of course, as the organisation passes). | + | |
| - | At this time, there is no official auditing system in place to confirm compliance with the GDPR. | + | |
| - | While the ICO can (and do) audit companies retrospectively for adherence to the GDPR (e.g. after a breach), this is a totally separate and official aspect of the ICO - the documentation that needs to be provided for an audit is essentially the same as that for a certification. | + | |
| - | A list of authorised schemes was finally made available from April 2021 (see ICO Certification Schemes) and is therefore still very much in its infancy. At of the time of writing, only three such official schemes are listed as being approved by the ICO, and none of which are applicable to the products provided by Esferico ltd. | + | |
| - | Certification is an expensive process, and must be balanced against the information that is recorded within any individual product. Such costs would therefore also need to be passed on to clients. Esferico applications store a very small number of fields which are categorised as protected data (most is not personal in nature, and most is deemed as being in the public domain) and most is not useful for identification. Wider protected characteristics, addresses and contact information are typically not stored within these systems. | + | |
| - | + | ||
| - | Further information on the certification system can be found at the ICO Certification web page. | + | //(emphasis added)// |
| - | Last edited: May 2021. | + | ---- |
| + | |||
| + | ==== What is GDPR Certification? ==== | ||
| + | |||
| + | While GDPR enforcement organisations around Europe are intended to promote the GDPR Certificate scheme, the reality is that certificates are not audited by, enforced by or even issued by the ICO. | ||
| + | |||
| + | Instead, 3rd party companies and consultancies identify an area of interest to themselves, put together a compliance framework for that type of industry or product, and them submit that framework to the ICO for authorisation. | ||
| + | |||
| + | Once the framework is authorised, the 3rd party company or consultancy is able to charge a fee for the assessment of companies and - if they comply with the conditions of the framework - issue them with a GDPR Compliance Certificate. The Certificate is issued by the 3rd party company, and **not** the ICO. The framework in question is //owned// by the 3rd party. | ||
| + | |||
| + | The ICO has been slow to roll out the scheme. They finally started to take action in March 2020 and in April 2021, they released a list of currently [[https://ico.org.uk/for-organisations/certification-schemes-register/a-h/|ICO authorised schemes]]. Do not be surprised if clicking this link, actually leads to a dead-page at sometime in the future! | ||
| + | |||
| + | As at time of writing, this scheme still only has __3 authorised schemes__ and //none// of them apply to either the industry or products provided by Esferico ltd. | ||
| + | |||
| + | |||
| + | Further information on the GDPR Certificate scheme can be found at the [[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/certification/|ICO Certification]] webpage. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ==== Summarised aspects of the GDPR Certificate scheme ==== | ||
| + | |||
| + | * The GDPR Certification scheme is totally voluntary, and is not part of the required GDPR or Data Protection legislation responsibilities of data processors. | ||
| + | |||
| + | * The certification process is administered by 3rd party companies who approach the ICO with a framework (which they own) of an assessment against which companies can be assessed (for a fee). | ||
| + | |||
| + | * They are then able to provide consultancy services and even software products for the assessment of your organisation against the framework. While these schemes are 'authorised' by the ICO, they are not official assessments against the GDRP, only the 3rd party framework. | ||
| + | |||
| + | * At this time, there is no official pro-active auditing system in place to confirm compliance with the GDPR for small to medium businesses other than that administered retrospectively due to a data breach or known lack of compliance. Pro-active auditing is performed for large organisations (councils, police forces etc.) which process significant amounts of protected data, and distinct characteristics. | ||
| + | |||
| + | * A list of authorised schemes was finally made available from April 2021 (see [[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/certification/|ICO Certification]]) and is therefore still very much in its infancy. At the time of writing, only three such official schemes are listed as being approved by the ICO, and none of which are applicable to the products provided by Esferico ltd. | ||
| + | |||
| + | * Certification can be an expensive process, and must be balanced against the information that is recorded within any individual product. Such costs would therefore also need to be passed on to clients. The same assurances of GDPR compliance can be obtained from the GDPR compliance documentation required to be generated by the statutory GDPR legislation in place (see [[PergamonMystic:linkedhelp:gdprdocuments|GDPR and Data Protection Documents]]) | ||
| + | |||
| + | * Esferico applications store a very small number of fields which are categorised as protected data (most is not personal in nature, and most is deemed as being in the public domain) and most is not useful for identification. | ||
| + | |||
| + | * While capable of being stored, wider protected characteristics, addresses and contact information are typically not stored within these systems and the facilities are locked out. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | Note that at a future time when a suitable certification scheme is in place, is balanced and we believe is correct for the industry in which Esferico ltd. provides products, a GDPR Certificate will be sought. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | |||
| + | {{:logo.png?nolink |}}\\ | ||
| + | [[:pergamonmystic:linkedhelp|Mystic Linked Help Files]]\\ | ||
| + | [[:start|Pergamon Wiki Home]] | ||
| - | |||
pergamonmystic/linkedhelp/gdprcertificate.1634197480.txt.gz · Last modified: 2021/10/14 07:44 by admin
Page Tools
