ECA started life in the 1970s as a club for international companies to share data relating to expatriate compensation. So, it is easy to see that information has played a key role throughout our nearly 50-year history. The early surveys of salaries and costs always came with practical considerations of anonymity, the accuracy of the data and how best to deliver the valuable finished products. Information security has therefore always been a priority for ECA, whose staff have to consider the confidentiality, integrity and availability of the data they process every single day. What has changed over the years is the technology we use, the volumes of data processed and the nature of the services that ECA provides.
The legal landscape relating to personal data has also changed through the years. In 1995 the EU harmonised data protection law with a data protection directive. This marked the first stage in a progressive tightening of how personal data could be used, culminating in the General Data Protection Regulation (GDPR) which came into effect in May this year. Since non-compliance with the GDPR can result in fines of up to 4% of global turnover, the issue of information security has rapidly grown in importance to become a key boardroom risk item.
Why ECA has adopted ISO 27001
ECA recognises, given the amount and types of data we process and the services we offer through our hosted software solutions, that the way we treat data will come to define business success for us and for our clients. In particular, we realise that both parties need to reduce the risk of non-compliance with GDPR and its associated fines and that in order to achieve this more companies will move towards adopting information security standards. The advantages for companies in doing so are to both reduce the time they spend on due diligence and to be able to speak a common language with suppliers who have adopted the same standard.
Therefore, last year ECA embarked on an initiative to become the first provider of global mobility services to gain ISO 27001 certification. This led to us receiving the certificate in June this year. The key benefits for our clients that will result from this certification are as follows:
ISO 27001 – Key benefits
What it is
|
Benefit
|
Independently and externally audited
|
Reduces the amount of time each client needs to spend on auditing
|
Helps ECA comply with business, legal, contractual and regulatory requirements
|
You can be assured that ECA is compliant with important laws such as the GDPR
|
Reduces risk of regulatory fines
|
With both parties liable for fines under GDPR your risks are also reduced
|
Quicker due diligence
|
Once your compliance team understands what is required, form filling and other due diligence tasks can be reduced
|
The scope of this certification relates to all the information that ECA processes on your behalf, and covers:
- All client data stored and processed by ECA in our secure data centres and our offices in London, Hong Kong, New York and Sydney
- The business processes in place for delivery of our software as a service assignment management system, ECAEnterprise
- Management of confidential personal data held as part of our data services, consulting services, training services, survey management and customer support
Continual improvement
At the core of ISO 27001 is the requirement to establish, implement, maintain and, perhaps most importantly, continually improve an information security management system. ECA recognises that the threat landscape continually evolves and therefore we must continually improve in information security management to meet these new threats. This is similar to the way we run the rest of our business, where the bar must always be raised higher to deliver the best products and service for our clients. So, whether it is delivering better geographic coverage, improving our website or changing our processes with regard to maintaining the confidentiality, integrity and availability of your information we are always looking to improve the service we provide to you.
Our clients have a role to play too
Finally, a reminder about your role in managing information security. We recognise that our work is done in direct partnership with you, which sometimes means sharing confidential or personal data with each other. This must always be done as securely as possible and the data minimised so that only that which is required to complete the job is shared. So, we would like to remind you that if you don’t need to send personal information in order to get the job done – please don’t!