The Privacy Imperative: Accreditations Can Help with Compliance and New Opportunities
What Print Service Providers Need to Know in Today’s Regulated Business Environment
Within the US—in certain states such as California, Texas, and New Hampshire—legislation is being established to protect our citizens’ personally identifiable information (PII). Among nations like India, Japan, Australia, and Canada, most are looking to the EU General Data Protection Regulation GDPR as a benchmark for creating their own regulations.
Fundamentally, they all share many common attributes and governance around processes and procedures for handling and protecting data. Today, we are seeing a true convergence of security and privacy. You simply cannot speak of one without the talking about the other.
Why should you care, you might ask?
Within each of these various regulations, there are two key and very prominent roles: the Data Controller (your customer) and the Data Processor (your company). The Data Controller holds the primary liability for any breach or data mishandling with fines for non-compliance, which extends to subcontractors or other third-parties. Their responsibility carries over to you as the Data Processor as well as any subcontractors or any third-parties you may utilize to complete a project.
The recommendations from the International Association of Privacy Professionals (IAPP) is to consult with your attorney to fully understand the regulations that your customers may be bound to and, thus, your responsibilities. You should also discuss where you may need to adjust, not only your operation data processing and data handling, but also any potential attestations in your client contracts that identify those practices.
Attestations and Accreditation
PSPs often seek the more lucrative types of jobs from print and media buyers who do business in regulated industries, routinely have the need to submit jobs that includes sensitive personally identifiable information, and/or include intellectual property (IP). These are typically pharmaceutical, healthcare, finance, government, and manufacturing industry segments.
These attestations and accreditations are provided through third party international accounting firms who belong to the American Institute of Certified Public Accountants (AICPA) or through the International Organization of Standards (ISO).
SOC 2 Audits
Rooted in the Sabanes Oxley Act (SOX) for the oversight of financial institutions in 2002, a service organization control (SOC) 2 audit evaluates a commercial organization’s ability to safely handle data in the many areas of their business processes (e.g., people, storage, data in transit, and at rest) over a period of time (typically six months). A successful audit affords them the coveted SSAE-18 status that attests that their operation is incompliance with the SSAE-18 criteria. It can be rather pricey, but the PSPs that I have spoken with who have made the investment have simply said, “Shop around for the best price. It is worth it.”
A certification recognized by the National Institute of Standards and Technology (NIST), and facilitated by the International Organization of Standards (ISO), this is one in a larger ISO 27000 series of security standards and frameworks that accredit the organization with maintaining a consistent and measurable degree of operational security through controls, bonded workers, as well as encryption for data in transit and data at rest.
If you have responded to RFPs as of late, you may have already seen security questionnaires that ask about these accreditations and may have even lost a client of two in lieu of them in your normal retail business. Many print and media buyers are demanding that your SLAs and contracts include these attestations and statements of compliance with the due diligence and due care as Data Processors, as it pertains to protecting PII, personal health information (PHI), and even PCI-DSS standard compliance for e-commerce through content storefronts.
The bottom line is that investing in accreditations can yield more lucrative and sticky business because it can be worth paying a higher premium for the comfort of knowing that personal information and IP is in capable hands with minimal risk.