The National Association for Information Destruction (NAID) and the Secure Information Governance & Management Association (i-SIGMA), Phoenix, have announced that the NAID AAA Certification will require policies and procedures to be updated to address requirements of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) wherein service providers are required to respond to data subject requests. The certification update will go into effect Jan. 1, 2020.
According to a news release from i-SIGMA, the association is requiring all NAID AAA Certified service providers to update their policy language.
“First of all, our covenant with the client—the data controller—is that NAID AAA Certification verifies compliance with all global data protection laws. Second, GDPR and CCPA are not bounded by national or state boundaries, applying instead to all citizens of those jurisdictions no matter where the citizen or the business with whom they share their personal information is located,” says Bob Johnson, CEO of i-SIGMA. “Lastly, it is only a matter of time until all data protection regulations give these rights to data subjects. Requiring it of all members simply prepares them for the inevitable.”
i-SIGMA plans to provide NAID AAA Certified companies with sample language for updating their written policies and procedures. The requirement to update policies is Jan. 1, but i-SIGMA reports that there is a brief grace period to add the language after the Jan. 1 deadline.