ISO and GDPR: our security and data management approach in 2021

The post-COVID business practices have changed drastically, but data security still remains pivotal for companies of all sizes. WaveAccess was prepared for these new challenges: we have been practicing the distributed teams approach and remote work models long before 2019. Moreover, we started our GDPR compliance journey back in 2017. 

To avoid any compromise of our own and our clients’ data, we apply a wide range of tools and solutions. The team of Security Officers and DevOps experts work in tight connection with all WaveAccess’ departments to ensure the compliance with the level of protection required by EU law.   

There is no specific certification for the GDPR, while the Regulator sets broad principles and their practical application is highly fact-specific. GDPR requires privacy by design and by default: protection of informational assets should not be something superficial, but a genuine way of operating business. 

GDPR compliance

WaveAccess had reviewed its data security framework by the time the new law came into effect on May 25th, 2018 and is committed to the principles outlined in the GDPR for all EU residents who share their data with us. 

To ensure that we were duly prepared for the GDPR, WaveAccess employed Deloitte to conduct an Initial Compliance Review back in November 2017 and was highly esteemed: 

WaveAccess made significant efforts to comply with forthcoming EU GDPR regulation, and we do not see any obstacles for WaveAccess to be fully compliant

Deloitte EU GDPR Initial Compliance Review

To show compliance with the GDPR, WaveAccess implements organizational and technical safeguards to protect data from destruction, loss, alteration, and unlawful disclosure:

• We review our company’s procedures and policies on how to collect and process personal data — such as data governance policy, consent forms and privacy notes on your websites, data processing agreements. 

• We use appropriate software and tools that help execute these procedures. E.g. malware protection, pseudonymization, encryption, ability to identify and block data breaches. 

For now, we have adapted our processes and reviewed the Privacy Policy to comply with the new regulation. 

Our rule of thumb here is to determine whether a potential data breach could result in a risk to the rights and freedoms of individuals (e.g. discrimination, damage to reputation, financial loss). If it could, then we ensure stricter protection for these categories of data.

ISO/IEC 27001 and ISO 9001:2015 standard compliance

Using several standards helps companies to manage the security of financial information, intellectual property, personal details and information entrusted by clients. 

ISO 27001:2013 is the internationally recognized framework that helps companies establish, implement, operate, keep, and continually improve their information security management system in order to keep their information assets secure. In 2020, WaveAccess successfully completed the scheduled inspection control to confirm the compliance of its information security management system against the requirements of the standard. Based on the positive audit findings, the certification body auditor has resolved to confirm the validity of the certificate No. 31101468 ISMS13 dated 08/10/2019 issued for WaveAccess.

We also were audited for compliance with the corporate quality management system (QMS) requirements of ISO 9001:2015 international standard. The compliant organization 

• shows its ability to deliver products and services that meet customer and applicable statutory and regulatory requirements

• aims to enhance customer satisfaction through the effective application of the quality management, including its improvement and assurance of conformity to customer and applicable statutory and regulatory requirements.

The certificate, which was provided to us last June by DQS holding, is valid till 2023. 

***

Fighting the pandemic or keeping businesses running, digital innovations can really make a positive impact. However these solutions can’t be effective until people trust them. Robust data protection practices are a key component of that credibility. We work hard to create highly reliable solutions that will build trust between our clients and their digital audience in Europe and worldwide.

Since 2018 the GDPR keeps evolving, while court decisions and official guidance documents shape the legal enforcement. We closely monitor the changes in the GDPR and update our practices accordingly to ensure continuous compliance. Recently, for example, the European Commission has adopted new Standard Contractual Clauses (Decision EU 2021/914 of 4 June 2021). These new SCC cover a broader range of data transfer scenarios and appropriate safeguards. Our team is already working to incorporate the new SCC into the data processing agreements with our EU clients.