Client requirements will drive certifications

With NAID AAA certification being one of the most successful vendor qualifications accreditations in the world, it might seem odd for me to say that such verifications will evolve.

The reason I say that is because the role of such certifications has evolved over the past decade, and while some service providers might like to relax these standards, such hopes ignore reality.

Once upon a time, certifications were meant to provide peace of mind. Let’s face it, when there are a lot of vendors making a lot of claims that are hard to verify, the customer is looking for reassurance, and certifications can fill that need.

Then something changed. Over the last decade, customers became increasingly responsible for the regulatory compliance of their data-related service providers. The challenge, however, is that most customers have neither the knowledge nor the inclination to properly verify vendor regulatory compliance on their own. Seeing this disconnect, NAID has been very responsive in modifying its certification to fulfill this new role, even accommodating customer requirements to obtain risk assessments.

Many customers don’t yet know why this is important, but that is slowly changing as members get better at explaining this new value proposition. Eventually, as data protection continues to grow as a priority, customers will need certification to go even further, which leads me back to my opening statement.

At some point in the future, customers are going to expect the next generation of certifications to be customizable to their particular specifications. Of course, a baseline operational expectation—a floor, if you will—will remain, but the customer also may want to verify a particular particle size or destruction time frame or a special level of employee screening that is more stringent than the baseline.

One reason for this is that regulators are going to require customers get more involved in evaluating the certifications they rely on. Relying on an inadequate certification will be viewed as a due diligence failure and will land them in the same hot water they sought to avoid. As customers get more involved, they will ask for special considerations.

Additionally, all customer needs are not the same, and with today’s technology an organization like NAID can be capable of fulfilling the inspection requirements of a particular client on a particular service provider.

No, this will not happen anytime soon, maybe not even on my watch. But it will happen, and it should.

Bob Johnson is CEO of the National Association for Information Destruction. He can be reached at rjohnson@naidonline.org.