New Certification Requirement Linked to GDPR/CCPA Compliance

December 13, 2019

Effective January 1, 2020, NAID AAA Certification will require policies and procedures to be updated to address requirements of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) wherein service providers are required to respond to Data Subject requests.

Asked why i-SIGMA is requiring all NAID AAA Certified service providers to update their policy language, CEO Bob Johnson said there are three reasons. “First of all,” said Johnson, “our covenant with the client – the Data Controller – is that NAID AAA Certification verifies compliance with all global data protection laws. Second, GDPR and CCPA are not bounded by national or state boundaries, applying instead to all citizens of those jurisdictions no matter where the citizen or the business with whom they share their personal information is located. Lastly,” Johnson adds, “it is only a matter of time until all data protection regulations give these rights to Data Subjects. Requiring it of all members simply prepares them for inevitable.”

To assist NAID AAA Certified companies in updating the written policies and procedures, i-SIGMA will provide NAID AAA Certified with sample language for that purpose.

The requirement to update policies is January 1, 2020, however, those found to have not updated their policies and procedures will be given a brief grace period to add the language afterward.