Regulatory Changes Have the Potential to Enhance Client Engagement and Service Provider Profits
April 7, 2021
To keep i-SIGMA certifications (NAID AAA and PRISM Privacy+) relevant, they must reflect and validate service providers’ regulatory requirements. As I have often written, that is one of our biggest challenges, and it is the key to NAID AAA Certification and PRISM Privacy+ Certification maintaining their growing preeminence with clients internationally.
For more than a decade, certified companies have been required to designate the individual who is responsible for certification compliance. While this requirement obviously serves a practical function for i-SIGMA, there is also a regulatory aspect to this. Because certification verifies data protection regulatory compliance, the assignment of a responsible individual was also intended the regulatory obligation to have designated Compliance Officer.
Unless you’ve been living under a rock since May 25, 2018, you already realize the EU General Data Protection Regulation (GDPR) began a global trend toward stricter data protection requirements. Even in the US, notoriously unpersuaded by global data protection laws, we immediately saw the California Consumer Privacy Act come to fruition, and, post pandemic, a host of similar regulations have either been passed or proposed at the state level.
Among the changes to these regulations is a renewed and enhanced requirement for service providers (a.k.a. data processors) and clients (a.k.a. data controllers) to designate a Compliance Officer. (In some cases, the Compliance Officer is even required to register with the relevant data protection authority.)
Two Things This Means for Service Providers:
- If they have not already, service providers will have to formally designate a Compliance Officer. (I realize many already have.) The good news for NAID AAA and PRISM Privacy+ Certified firms is that these certifications already do the heavy lifting by showing them what they must do – at least in regard to their status as a data processor. It is, by the way, also a near certainty that certified firms will soon see a more robust certification requirement to identify a Compliance Officer.
- Under the regulations, the requirement to have a Compliance Officer can be outsourced. In the EU, where the GDPR requirement took on a new life, many data security professionals are renting themselves out to organizations who do not have the resources for a full time Compliance Officer.a. This means, if a service provider were so inclined, they could hire a outside professional to fill this function for them.
b. Or…it means that service providers willing to obtain or hire the proper expertise could offer such outsourced services to their clients, most of whom will definitely not have the internal resources or expertise to have a data protection Compliance Officer on staff. Of course, there are many value-added models for doing this: baking it into the service, as an add on, etc. But, regardless of how the value is extracted, it hard to see a stickier client retention (or client development) program. (It is worth noting that some i-SIGMA members in Europe are already doing this.) It is also worth noting that anyone doing this must absolutely be qualified. You don’t just hang out a shingle.)
c. Or…it means that service providers should – at minimum – be networking with these outsourced professionals in their markets in order to get referrals.
d. And…where your current clients already have a Compliance Officer, get to know them. It’s a lot better dealing with someone who gets the importance of your service that it is dealing with the facilities manager or purchasing agent.
I would be remiss not to mention that service provider data protection compliance encompasses issues that have nothing to do with their role as data processors. They all have employees. Some have client payment information. The point is, all businesses have internal data protection requirements that have nothing to do with the business they are in.
This is the part where I explain what i-SIGMA can do to help. Yes, NAID AAA and PRISM Privacy+ Certification tell members how to meet their requirements as service providers.
But knowing how to meet members’ internal data protection regulations as employers is another thing. And knowing how to advise clients on data protection requirements in a way that doesn’t lead to malpractice is another thing.
Frankly, what I know right now is that i-SIGMA can and should have a role in helping members navigate and capitalize. I am also pretty sure we’ll be working it and have more in the near future.