When many of us think about the privacy laws that are emerging across the US and the world, we think of consumer consent. Are we requesting, receiving, and storing the consumer’s consent to collect and use their data?
However, your obligations under the law extend beyond how your organization uses data. Increasingly, you are required to ensure that any partner with whom you share consumer data is also in compliance with all privacy regulations. In a sense, you are your vendor’s keeper.
It’s not just a matter of including an indemnification in a contract. Some privacy laws, such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act among others, have introduced new requirements for businesses, including the need to take “reasonable and appropriate steps” to ensure that your partners use personal information in ways that are consistent with the laws.
What are such steps? They can include mandatory audit provisions in contracts, conducting regular reviews, and audits of your partner’s data collection and processing activities.
Paragon Digital Services ISO Certifications
Paragon Digital Services has always believed that our data processes should adhere to rigorous frameworks to ensure our data collection, management, and security processes are top-notch. After all, we handle consumer data on behalf of our clients, and even before these laws were enacted, we were keen to have a comprehensive approach to data security and privacy in place.
For these reasons, we put in the time, investments, and resources required to achieve and maintain ISO 27701, ISO 27001, and ISO 9001 certification.
ISO 27701 and Consumer Privacy Protection
What is ISO 27701? How does it relate to privacy compliance? And why did Paragon Digital Services invest in achieving and maintaining ISO 27701 certification?
ISO 27701, specifically addresses consumer data privacy. The standard outlines a comprehensive framework for protecting any PII data that is collected, stored, or transferred during a range of activities, including online advertising and digital marketing.
When we execute a campaign on your behalf, any data you share with us, and any PII data we collect or even have access to, is handled following this framework.
Specifically, ISO/IEC 27701 guides establishing, implementing, maintaining, and continually improving a Privacy Information Management System. This PIMS system is designed to help organizations, such as Paragon Digital Services, demonstrate their compliance with privacy regulations and requirements.
The standard includes provisions for risk assessment and treatment, as well as measures for monitoring, measurement, analysis, and evaluation.
It isn’t easy to achieve any of the ISO certifications as the requirements are quite stringent, encompassing people, processes, technology, and even how physical workspaces are organized (for instance, our teams are physically separated per ISO requirements, and sensitive areas require biometric access).
AND central to certification are annual audits by a third-party auditor. It typically takes the auditor four weeks to verify that every box is checked, and omitting even a single, seemingly minor requirement jeopardizes a successful certification.
The Bottom Line
ISO 27701 is geared towards consumer data privacy, and certification means the vendor aligns with CCPA, GDPR, and other privacy regulations.
Put another way, if your vendor has achieved and maintains ISO 27701, you can be assured that your partner complies with the privacy regulations, and is audited. If they have not, your company’s legal exposure could be massive. This is why Paragon maintains ISO 27701 certification.
Interested in discovering more about digital ad operations compliance standards, reach out to Sujith so we can set up a call.