In follow up on Stakeholders & Legal Requirements, you will need to be in control when expanding your business to other countries and research.
Additional requirements for ISMS can be ruled by your 1. customers or by 2 laws.
1. If conducting business with corporates – read the Master Service Agreement carefully for signing. Additonal requirements will probably cover new security, privacy or quality standards, new insurance requirements.
Some tips before accepting new security, privacy or quality standards:
- always ask what you do not understand, corporates sometime add their own internal standards – and you will need to be aware, so it does not suprise you after signing.
- if new standards are required, asks if you need to adopt or need to get certified. Certification costs money and you will need to negotiate that into your pricing.
- aks how the corporate organizes quality assurance – be prepared for external audit by corporates.
2. Entering new markets will need some research on privacy and security requirements. Personal data privacy regulations need to be taken into consideration when contracting or expending outside of the GDPR geo area.
In the Procedure/Info of the Global Impact section you can find 2 links that will help you to prepare your research: DLA Piper website with overview of all Data Protections Laws of the World. You can compare your country with any other country in the world on all Data Protection topics. And Global Partner Digital (GPD) with a World Map of Encryption Laws and Policies.
Both can be used to do your research and get you prepared when talking with customers.
Add per country or per customers additional requirements and add what kind of activities (review policies, add security or privacy controls) you have taken to comply.
|Field||Value / Description||Example|
|Country||free text field||Romania|
|Additional Compliance Requirements||free text field||In addition to the requirements provided by the GDPR in Articles 37 to 39, Law no. 190/2018 provides that a data protection officer (DPO) must be designated whenever the entity acting as controller is processing a national identification number, including by collecting or disclosing any documents enclosing such national identification number, when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, in accordance with the provisions of Article 6 paragraph 1 letter (f) of the GDPR.|
|Operational Impact||free text field||we will need our own DPA|