pergamonmystic:linkedhelp:gdprcertificate
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Next revision Both sides next revision | ||
|
pergamonmystic:linkedhelp:gdprcertificate [2021/10/14 07:44] admin created |
pergamonmystic:linkedhelp:gdprcertificate [2021/10/14 09:08] admin |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Mystic Help ====== | ||
| + | ===== GDPR Certificate ===== | ||
| On occasion, we are asked whether Esferico can provide a GDPR Certificate for our products. | On occasion, we are asked whether Esferico can provide a GDPR Certificate for our products. | ||
| - | What is GDPR Certification? | + | GDPR Certificates were agreed to be promoted by the various GDPR enforcement agencies around the EU, the agency responsible in the UK being the [[https://ico.org.uk|ICO]], as it had been with the standard Data Protection Act. This promotion was generally intended to 'raise the bar' of GDPR compliance. |
| - | GDPR Certification was a process which the ICO started to implement some time ago, but with a very slow rate of progress. It is the aim of GDPR and UK GDPR bodies to promote the certification system. | + | |
| + | **At this time**, Esferico ltd. have chosen **not** to seek a GDPR Certificate - the simple reason being that **no product or service provided by Esferico ltd. is covered by the GDPR Certificate scheme**. | ||
| + | |||
| + | Read on to learn why. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ==== Who should apply for Certification? ==== | ||
| + | |||
| + | There is a list of valid reasons why, in the long term, all companies providing data processing services may wish to gain a GDPR Certificate - despite the fact that GDPR organisations around Europe are intended to promote the system, participation is **voluntary** which in many ways immediately reduces the effectiveness of the system. | ||
| + | |||
| + | At this current time however, the following paragraph from the ICO documentation is probably the most applicable in this case: | ||
| + | |||
| + | ''Applying for certification is voluntary. However, __**if** there is an approved certification scheme that covers your processing activity__, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.'' | ||
| + | |||
| + | //(emphasis added)// | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ==== What is GDPR Certification? ==== | ||
| + | |||
| + | While GDPR enforcement organisations around Europe are intended to promote the GDPR Certificate scheme, the reality is that certificates are neither audited by, enforced by or even issued by the ICO. | ||
| + | |||
| + | Instead, 3rd party companies and consultancies identify an area of interest to themselves, put together a compliance framework for that type of industry or product, and them submit that framework to the ICO for authorisation. | ||
| + | |||
| + | Once the framework is authorised, the 3rd party company or consultancy is able to charge a fee for the assessment of companies and - if they comply with the conditions of the framework - issue them with a GDPR Compliance Certificate. The Certificate is issued by the 3rd party company, and **not** the ICO. The framework in question is //owned// by the 3rd party. | ||
| + | |||
| + | The ICO has been slow to roll out the scheme. They finally started to take action in March 2020 and in April 2021, they released a list of currently [[https://ico.org.uk/for-organisations/certification-schemes-register/a-h/|ICO authorised schemes]]. | ||
| + | |||
| + | As at time of writing, this scheme still only has __3 authorised schemes__ and //none// of them apply to either the industry or products provided by Esferico ltd. | ||
| + | |||
| + | |||
| + | Further information on the GDPR Certificate scheme can be found at the [[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/certification/|ICO Certification]] webpage. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ==== Summarised aspects of the GDPR Certificate scheme ==== | ||
| - | As of March 2020, ICO finally implemented a GDPR Certification system in which companies and organisations can provide documentation to a 'scheme' which matches the use of data in a product or the organisation in general and have it assessed. | + | * The GDPR Certification scheme is totally voluntary, and is not part of the required GDPR or Data Protection legislation responsibilities of data processors. |
| - | Some of the reasons for becoming 'certified' rely on the possibility of 'commercial advantage' (i.e. as an organisation we should become certified, while our competitors are not), and to show compliance with GDPR principles. | + | * The certification process is administered by 3rd party companies who approach the ICO with a framework (which they own) of an assessment against which companies can be assessed (for a fee). |
| - | Are we part of the scheme? | + | * They are then able to provide consultancy services and even software products for the assessment of your organisation against the framework. While these schemes are 'authorised' by the ICO, they are not official assessments against the GDRP, only the 3rd party framework. |
| - | No. Esferico chose not to be part of the GDPR Certification scheme at this time. | + | |
| - | This does not however, in any way reduce our statutory compliance with the GDPR and other UK Data protection Legislation. | + | * At this time, there is no official pro-active auditing system in place to confirm compliance with the GDPR for small to medium businesses other than that administered retrospectively due to a data breach or known lack of compliance. Pro-active auditing is performed for large organisations (councils, police forces etc.) which process significant amounts of protected data, and distinct characteristics. |
| - | Why are we not part of the scheme? | + | * A list of authorised schemes was finally made available from April 2021 (see [[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/certification/|ICO Certification]]) and is therefore still very much in its infancy. At the time of writing, only three such official schemes are listed as being approved by the ICO, and none of which are applicable to the products provided by Esferico ltd. |
| - | The most important reason that we are not part of the certification process is simply that there is no scheme that covers Pergamon, Mystic or any other product produced by Esferico ltd. | + | |
| - | As stated in the ICO documentation: | + | * Certification can be an expensive process, and must be balanced against the information that is recorded within any individual product. Such costs would therefore also need to be passed on to clients. The same assurances of GDPR compliance can be obtained from the GDPR compliance documentation required to be generated by the statutory GDPR legislation in place (see [[PergamonMystic:linkedhelp:gdprdocuments|GDPR and Data Protection Documents]]) |
| - | Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships. | + | * Esferico applications store a very small number of fields which are categorised as protected data (most is not personal in nature, and most is deemed as being in the public domain) and most is not useful for identification. |
| - | (emphasis added) | + | * While capable of being stored, wider protected characteristics, addresses and contact information are typically not stored within these systems and the facilities are locked out. |
| - | As it currently stands however, we additionally feel that the GDPR Certification process provides neither an advantage to ourselves, nor to our clients. All GDPR compliance is available via other documentation, and simply represents a cost to a private company (not the ICO) which must be passed on by those who voluntarily certify against a 3rd part framework (again, not created by the ICO). | + | ---- |
| - | Further information about certification: | + | Note that at a future time when a suitable certification scheme is in place, is balanced and we believe is correct for the industry in which Esferico ltd. provides products, a GDPR Certificate will be sought. |
| - | The GDPR Certification scheme is totally voluntary, and is not part of the required GDPR or Data Protection legislation responsibilities of data processors. | + | ---- |
| - | The certification process is administered by 3rd party companies who approach the ICO with a framework (which they own) of an assessment against which companies can be assessed (for a fee). They are then able to provide consultancy services and even software products for the assessment of your organisation against the framework. While these schemes are 'authorised' by the ICO, they are not official assessments - they effectively equate to an individual receiving a certificate from a private training session (as long of course, as the organisation passes). | + | |
| - | At this time, there is no official auditing system in place to confirm compliance with the GDPR. | + | |
| - | While the ICO can (and do) audit companies retrospectively for adherence to the GDPR (e.g. after a breach), this is a totally separate and official aspect of the ICO - the documentation that needs to be provided for an audit is essentially the same as that for a certification. | + | |
| - | A list of authorised schemes was finally made available from April 2021 (see ICO Certification Schemes) and is therefore still very much in its infancy. At of the time of writing, only three such official schemes are listed as being approved by the ICO, and none of which are applicable to the products provided by Esferico ltd. | + | |
| - | Certification is an expensive process, and must be balanced against the information that is recorded within any individual product. Such costs would therefore also need to be passed on to clients. Esferico applications store a very small number of fields which are categorised as protected data (most is not personal in nature, and most is deemed as being in the public domain) and most is not useful for identification. Wider protected characteristics, addresses and contact information are typically not stored within these systems. | + | |
| - | + | ||
| - | Further information on the certification system can be found at the ICO Certification web page. | ||
| - | Last edited: May 2021. | + | {{:logo.png?nolink |}}\\ |
| + | [[:pergamonmystic:linkedhelp|Mystic Linked Help Files]]\\ | ||
| + | [[:start|Pergamon Wiki Home]] | ||
| - | |||
pergamonmystic/linkedhelp/gdprcertificate.txt · Last modified: 2024/02/06 11:05 by admin
Page Tools
