This is how "well known giant corporations" are. They have chosen not to understand the GDPR, gotten a lawyer to state that "ISO27001 certified vendors" will not pose a risk to them under the GDPR's security requirements, and so have set policy that they cannot purchase from vendors that are non-compliant.
Their policy office is probably still busy waiting for Y2K.
It sucks, but HIPPA was exactly the same, and I heard exactly the same complaint from tiny companies back then too.
You can get ISO27001 for as little as $5k. My advice is that if you can afford it, suck it up, if you can't, offer ISO27001 on-prem installation for an extra $10k. If they walk. They walk. You can probably get them later (see below).
But see, it's important to understand that you're wrong: This isn't a side-effect of the GDPR.
This is a side-effect of capitalism: With no laws requiring that they keep personal data safe, it is to their benefit to keep the data in as insecure a form as possible.
Look at Equifax[1], who have lost control of perhaps every single american's name, DOB, SSN, and address.
Data Protection laws are designed to protect people. Eventually, people will get used to them; the dust will settle. You'll have an opportunity to explain the actual risk/reward clearly to your potential customer's CIO office because the savings/efficiency you're promising will make it worthwhile.
But right now? Too much fucking hyperbole about the GDPR for anyone to be thinking clearly.
Their policy office is probably still busy waiting for Y2K.
It sucks, but HIPPA was exactly the same, and I heard exactly the same complaint from tiny companies back then too.
You can get ISO27001 for as little as $5k. My advice is that if you can afford it, suck it up, if you can't, offer ISO27001 on-prem installation for an extra $10k. If they walk. They walk. You can probably get them later (see below).
But see, it's important to understand that you're wrong: This isn't a side-effect of the GDPR.
This is a side-effect of capitalism: With no laws requiring that they keep personal data safe, it is to their benefit to keep the data in as insecure a form as possible.
Look at Equifax[1], who have lost control of perhaps every single american's name, DOB, SSN, and address.
Data Protection laws are designed to protect people. Eventually, people will get used to them; the dust will settle. You'll have an opportunity to explain the actual risk/reward clearly to your potential customer's CIO office because the savings/efficiency you're promising will make it worthwhile.
But right now? Too much fucking hyperbole about the GDPR for anyone to be thinking clearly.
[1]: https://www.sec.gov/Archives/edgar/data/33185/00011931251815...