Global Impact

In follow up on Stakeholders & Legal Requirements, you will need to be in control when expanding your business to other countries and research.

Additional requirements for ISMS can be ruled by your 1. customers or by 2 laws.     

1.  If conducting business with corporates – read the Master Service Agreement carefully before signing. Additional requirements will probably cover new security, privacy or quality standards, new insurance requirements.

Some tips before accepting new security, privacy or quality standards:

  • always ask what you do not understand, corporates sometimes add their own internal standards – and you will need to be aware, so it does not surprise you after signing.
  • if new standards are required, asks if you need to adopt or need to get certified. Certification costs money and you will need to negotiate that into your pricing. 
  • aks how the corporate organizes quality assurance – be prepared for external audit by corporates. 

2.  Entering new markets will need some research on privacy and security requirements. Personal data privacy regulations need to be taken into consideration when contracting or expanding outside of the GDPR geo area.

In the Procedure/Info of the Global Impact section you can find 2 links that will help you to prepare your research: DLA Piper website with overview of all Data Protections Laws of the World. You can compare your country with any other country in the world on all Data Protection topics. And Global Partner Digital (GPD) with a World Map of Encryption Laws and Policies. 

Both can be used to do your research and get you prepared when talking with customers. 

Add per country or per customers additional requirements and add what kind of activities (review policies, add security or privacy controls) you have taken to comply. 

FieldValue / DescriptionExample
Countryfree text field Romania
Additional Compliance Requirements free text fieldIn addition to the requirements provided by the GDPR in Articles 37 to 39, Law no. 190/2018 provides that a data protection officer (DPO) must be designated whenever the entity acting as controller is processing a national identification number, including by collecting or disclosing any documents enclosing such national identification number, when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, in accordance with the provisions of Article 6 paragraph 1 letter (f) of the GDPR.
Operational Impactfree text fieldwe will need our own DPA

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.