Privacy+ Certification: Should I, or Shouldn’t I?
By: Tom Dumez, CHP, CSCS
With my many years of involvement with PRISM and so many relationships that have been formed over the years, I am asked by PRISM members often if they should either pursue or renew their PRISM Privacy+ Certification. The question is always the same: “Should I, or shouldn’t I? What is the benefit?” While Privacy+ hasn’t been around as long as NAID AAA Certification, because of the hard work by the dedicated members of the Privacy+ Certification Committee, I am really excited about the future of PRISM Privacy+. And it is starting to gain traction.
As a member of the PRISM Board of Directors from 2010-2012, we released the first certification program ever offered by the industry. It wasn’t without its flaws certainly, but we had to start somewhere. We had to start from scratch as this didn’t exist, and who better to incept the industry’s certification than the actual experts in the industry – the PRISM members that volunteered to be on the Board? If you remember, it was initially a self-certification/attestation and had educational sessions that you were required to attend. There have been several improvements made from that format over the years, including a time when members could use a SaaS 70 (now SSAE 18) audit instead. This helped to identify vulnerabilities, especially of I.T. systems and databases.
i-SIGMA and the Privacy+ Certification Committee have now taken this certification even further. It is now essentially modeled after NAID AAA Certification with more requirements for RIM (operations, transportation, security, employee, etc.) than PRISM Privacy+ Certification previously required. The SSAE 18 is now a voluntary component, which is helpful for a company to have. We took the highest industry standards from a very well known (by both members as well as their customers) certification program (NAID AAA Certification) and adjusted language, added necessary facility requirements, and more. The result is solid, robust, secure, and exciting.
Two of my customers (record centers) have recently told me that they have been contacted by prospects that now can only use a PRISM Privacy+ Certified vendor. To me, this means two things: 1) your customers are now searching to use PRISM Privacy+ Certified service providers either because they have heard of PRISM Privacy+ or they have searched for record storage industry certifications, and 2) you could be leaving money on the table if you aren’t considering PRISM Privacy+ Certification.
Many companies seeking document destruction services now have their own policies that require them to ONLY use a NAID AAA Certified vendor. That immediately leaves non-certified members out of RFP consideration. One benefits to those i-SIGMA members that are already NAID AAA Certified is that the same auditor can do both audits during a single visit. These certifications now both attest that your operation is performing at the highest levels of security, confidentiality, and privacy, as well as meeting the compliance obligations of several key regulations.
With the continued efforts of the i-SIGMA Board, the Privacy+ Committee, the staff, and the feedback of members, I see a really bright future for PRISM Privacy+ Certification. Soon it will be recognized at the same level as NAID AAA Certification!
So, you tell me: Should you, or shouldn’t you? I think it’s pretty obvious.
By: Tom Dumez, CHP, CSCS
Tom Dumez, CHP, CSCS is the owner and president of Prime Compliance based in Grand Rapids, MI. As an industry subject matter expert on regulations and compliance he has traveled internationally as a speaker and trainer.
Prime Compliance provides Policy and Procedure review, Handbook review, and Business Associate Agreement review, with the goal of making customers the HIPAA experts in their marketplaces. It is an i-SIGMA Approved Consultant and can help companies obtain their first time NAID AAA and PRISM Privacy+ Certifications.
June 10, 2020