January 28th marks the date Lusha got ISO 27701 certification from the International Organization of Standardization. Yoni and I are thrilled to have reached this milestone. But what’s more interesting than our community’s enthusiasm around this occasion, is the journey we took to get here. How it came about that we set a new bar for data privacy, and what it means to be the ones introducing a new industry standard.
For those of you that don’t know, ISO 27701 is the most respected standard for information security management systems. In 2019, ISO created ISO 27701 to provide a framework for PII holders such as organizations, public and private companies, government entities and non-profit organizations to establish, implement, maintain and improve Privacy Information Management Systems (PIMS). ISO 27701 grants holders GDPR alignment status as well as alignment with all other major data protection and privacy laws.
Why We Decided to Get ISO 27701 Certified
We knew that there was a growing need for Lusha’s core sales intelligence offering among the B2B community that has become data-driven. We knew we had a product in our hands that companies needed and that sales teams relied on. But with the introduction of GDPR in Europe and the CCPA act of 2018 in the US, what we were seeing more and more of was companies’ struggles to gain access to data that they needed in order to do business. It became clear to us that the sales intelligence industry would have to create new standards for collecting, processing and transferring its data, if it was going to stay in business.
This new standard would have to be, well, standardized. And by standardized, we meant by an external body to ourselves.
Today, the golden standard for privacy is the General Data Protection Regulation. But while most B2B sales intelligence vendors define themselves to be “GDPR compliant”, this is a self-declared status and there’s no official body backing it up. Since GDPR does not issue its own certification, companies either title themselves “GDPR compliant”, or go down the path of receiving formal GDPR accreditation from an official body recognized and approved by the General Data Protection Regulation.
Getting ISO 27701 certified was a step towards external accreditation. It put us as close as any company can get to GDPR compliance, and it aligned us with all other recognized privacy laws and data protection regulations. It enabled us to gain the trust of our users – current and future – that we are serious about data protection and go far beyond simply claiming that we are GDPR compliant.
How ISO Certification Works
Any company interested in an ISO 27701 certification must apply to a third-party certification body with a CASCO standard. We did it with RONET International Certification Services and had to undergo third-party auditing of our data collection processes, our data enrichment methods, as well as our verification and prospecting services. Rigorous as those audits were, that was not all we did. We also came out of the gate with a declaration we could back up:
We had the largest dedicated team of data protection and privacy professionals of any other B2B data company to date.
What We Did Different, Or, How We Went the Extra Mile
We started using the data we had in our database to benefit our users.
We started notifying users of their ‘data subject’ status, actively reaching out to them to let them know if their publicly available information was being used for commercial purposes.
It was an extra service we could offer because we had their contact information in our database. It was a way to do something good for the user with the publicly available credentials we already collected.
It’s something to keep in mind when we think about the value of data. Who benefits from it? It’s worthwhile showing privacy regulators how publicly available information can be used not only at the service of commercial entities, but also to directly support and benefit users.
Lessons Learned
Getting ISO certified has been a big project with many of the departments in the company having a hand in it. Getting buy-in from all of our executive team required clearly quantifying the success of this laborious project, and showing a clear trajectory of how investing in good data management practices will generate a unique selling point that will put Lusha ahead of the curve.
It wasn’t easy and it took a while to get here. The auditing process is no joke and you need to have your ducks in a row for that one. This is something that companies may not know off the bat. It’s not a one person decision nor is it a one month effort. Achieving compliance requires buy-in from everyone and a commitment from your entire executive team. It requires meticulous hiring of privacy professionals and assembling a team dedicated to this task. It requires allocating funds. And it requires foresight. You need to envision the benefits of a new standard for the industry; what it would look like to do business in such an environment and what it would do for end users. And you need to have faith in this vision until it comes to life.
But it’s all worth it when customers sound their vote of confidence in you. Knowing they have trust in your data management protocol, in your workers, processes, and technology, validates all the hard work that goes into the certification process.
At the end of the day, customer acceptance makes for shorter sales cycles because less persuasion is needed and less explanations are required. That’s tangible ROI right there.
It also makes for a valuable asset that holds the industry to a higher standard, so that the entire industry starts seeing privacy protection as an accelerator to business rather than a red tape drag.
See how Lusha can speed up your workflow
