Laws around data security have been tightened recently. It was always the case to be careful with personal information and that we discussed with our clients how we kept this information safe, but now the bar was set even higher. Corporate Holland woke up…
Duty to inform
One thing in particular that woke up Dutch companies is the “Duty to inform”. If you suspect that data that you manage has been leaked of sent to the wrong person, you owe it to inform the owner of the data about this. In particular personal information. Perfectly understandable of course. You use your client’s information to approach the market, and when something goes wrong, you inform your client. In my mind, that’s normal in any business relation.
Everybody wants ISO
Then, we received a request from one of our clients to sign an addition to our existing contract. In the addition we would declare that we’re ISO certified. But we aren’t. I contacted this client to ask why we needed to sign this, and to tell him that we can’t sign. “For extra security”, was the explanation. And: “we won’t be the only ones who’ll be asking this, so you should get it together!”.
We like to grant our clients’ wishes, so we decided to get ISO certified. Can’t be that hard, I thought. Soon enough, it became clear that a whole new economy has grown around ISO certifications. Driven by granting business to each other. Only an accredited agency can perform an audit. These agencies have a standard formula for how many DAYS the audit will take, regardless of the complexity of the business. Just for reading our case, a consultant needs 1 WHOLE DAY. How smart are these consultants was my first thought…Then, I found out that passing the audit was very slim if we didn’t use a consultant to get prepared for the audit. And you can guess, these consultants aren’t cheap!
ISO mandatory? Hell no!
My unease grew and I decided to call the Ministry of Economic Affairs. I needed some back ground and wanted to find out if some compensation was available for companies that were required to get certified to adhere to the law. But no, they were very clear: The regulations may have been adjusted, but the market itself determines if an ISO audit should be requested. So, are we just making it difficult for ourselves? Can’t we just as easily make our own agreements on procedures and processes and how we interact?
I’ve resigned myself with the fact that the ISO Mob rules and we’ve started our certification. It will be a long road full of ups and downs, as I’ve been assured by several of the specialized agencies that want to help me to get ready. They also assure me that that certification will be there at the end of the road. You will all hear me shout it out when we get that certification. We will support ISO with all our might and will blacken all those that haven’t been certified yet. And so, we will too help the ISO economy thrive.