Esferico ltd. is registered with the ICO as a data processor.

A copy of our registration certification can be obtained from the ICO website here: Esferico ltd. ICO Registration Certificate

Note that this registration renews on a yearly basis.

On occasion, we are asked whether Esferico can provide a GDPR Framework Certificate for our products.

GDPR Framework Certificates were agreed to be promoted by the various GDPR enforcement agencies around the EU, the agency responsible in the UK being the ICO, as it had been with the standard Data Protection Act. This promotion was generally intended to 'raise the bar' of GDPR compliance.

At this time, Esferico ltd. have chosen not to seek a GDPR Certificate - the simple reason being that no product or service provided by Esferico ltd. is covered by a GDPR Certificate scheme.

We are unable to obtain a certificate therefore, as there is no certificate to obtain.

Read on to learn why, but in many ways this process has been superseded by the general data protection registration requirement (see top).

There is a list of valid reasons why - in the long term, all companies providing data processing services may wish to gain a GDPR Certificate - despite the fact that GDPR organisations around Europe are intended to promote the system, participation is voluntary which in many ways immediately reduces the effectiveness of the system.

At this current time however, the following paragraph from the ICO documentation is probably the most applicable in this case:

Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.

(emphasis added)

While GDPR enforcement organisations around Europe are intended to promote the GDPR Certificate scheme, the reality is that certificates are not audited by, enforced by or even issued by the ICO.

Instead, 3rd party companies and consultancies identify an area of interest to themselves, put together a compliance framework for that type of industry or product, and them submit that framework to the ICO for authorisation.

Once the framework is authorised, the 3rd party company or consultancy is able to charge a fee for the assessment of companies and - if they comply with the conditions of the framework - issue them with a GDPR Compliance Certificate. The Certificate is issued by the 3rd party company, and not the ICO. The framework in question is owned by the 3rd party.

The ICO has been slow to roll out the scheme. They finally started to take action in March 2020 and in April 2021, they released a list of currently ICO authorised schemes. Do not be surprised if clicking this link, actually leads to a dead-page at sometime in the future!

As at time of writing, this scheme still only has 3 authorised schemes and none of them apply to either the industry or products provided by Esferico ltd.

Further information on the GDPR Certificate scheme can be found at the ICO Certification webpage.

• The GDPR Certification scheme is totally voluntary, and is not part of the required GDPR or Data Protection legislation responsibilities of data processors.

• The certification process is administered by 3rd party companies who approach the ICO with a framework (which they own) of an assessment against which companies can be assessed (for a fee).

• They are then able to provide consultancy services and even software products for the assessment of your organisation against the framework. While these schemes are 'authorised' by the ICO, they are not official assessments against the GDRP, only the 3rd party framework.

• At this time, there is no official pro-active auditing system in place to confirm compliance with the GDPR for small to medium businesses other than that administered retrospectively due to a data breach or known lack of compliance. Pro-active auditing is performed for large organisations (councils, police forces etc.) which process significant amounts of protected data, and distinct characteristics.

• A list of authorised schemes was finally made available from April 2021 (see ICO Certification) and is therefore still very much in its infancy. At the time of writing, only three such official schemes are listed as being approved by the ICO, and none of which are applicable to the products provided by Esferico ltd.

• Certification can be an expensive process, and must be balanced against the information that is recorded within any individual product. Such costs would therefore also need to be passed on to clients. The same assurances of GDPR compliance can be obtained from the GDPR compliance documentation required to be generated by the statutory GDPR legislation in place (see GDPR and Data Protection Documents)

• Esferico applications store a very small number of fields which are categorised as protected data (most is not personal in nature, and most is deemed as being in the public domain) and most is not useful for identification.

• While capable of being stored, wider protected characteristics, addresses and contact information are typically not stored within these systems and the facilities are locked out.

Note that at a future time when a suitable certification scheme is in place, is balanced and we believe is correct for the industry in which Esferico ltd. provides products, a GDPR Certificate will be sought.

Mystic Linked Help Files
Pergamon Wiki Home