What does ‘compliant data’ actually mean? A buyer’s checklist

You’ll find the GDPR logo on almost every data provider’s website. But without evidence, it means nothing.

For a RevOps leader or a General Counsel, a badge in a footer isn’t a legal shield. If a provider scrapes data without legal basis or lacks a mechanism to process deletion requests, the liability doesn’t stay with them—it follows the data into your CRM.

In the world of data enrichment, compliance is not a binary setting. It is a spectrum of evidence. 

To protect your GTM system, you need to move past the marketing claims and look at the actual audit trail.

Three tiers of compliance evidence

When evaluating a provider, you can categorize their compliance claims into three tiers. Most providers stop at Tier 1.

• Tier 1: Security certs (SOC 2, ISO 27001). There is no privacy if security is not in place. Although these are valuable, they do not audit how the data was collected or if the provider has the legal right to sell it to you.
• Tier 2: Privacy audits for GDPR & CCPA compliance. Self-declaration without an external certification is not worth much. Make sure a recognized European auditor (like ePrivacy) has checked the GDPR posture, and a US firm (like TRUSTe) has checked the CCPA posture.
• Tier 3: Privacy certs (ISO 27701, ISO 31700 (Privacy By Design)). These are the gold standards. An independent external auditor has reviewed actual collection, processing, and deletion practices to ensure they meet global standards.

While many providers in the Clay landscape reach Tier 2, Lusha is currently the only one to maintain all three Tier 3 certifications & attestations. 

This isn’t just about being safe. It’s about having a documented, audited trail for every record in the system.

Inside the Tier 2 & 3 audits: What they actually check

If a provider claims Tier 3 compliance, they are submitting to a level of scrutiny that most companies avoid. Here is the depth of a Tier 3 audit scope:

• Accredited ISO 27701: This audits how data is collected, processed, and deleted. It requires an annual audit and a full recertification every three years to ensure “Privacy by Design” isn’t just a catchphrase. Make sure there is an accreditation of the ISO 27701 (meaning the international body of ISO vouches for this certification).
• ISO 31700 Privacy By Design: This audit focuses on how privacy is “baked into” the product from the ideation phase through to disposal. Auditors verify approximately 30 requirements across several core areas:
  • TRUSTe: This checks the actual company privacy program against the 112 controls required in the CCPA. 
  • ePrivacy: It focuses on privacy mechanisms, data transfers, and specific requirements of the GDPR. For teams targeting the EMEA market, this is the most critical audit for proving GDPR compatibility.

An inconvenient truth

There is an uncomfortable truth in the data industry: Good data can’t be free. 

Maintaining annual audits, hiring dedicated compliance staff, and building the infrastructure to handle global “Right to be Forgotten” requests cost real money. 

When you pay for a subscription, you are funding the certification and rights-handling infrastructure that keeps your provider out of legal crosshairs. If a provider is significantly cheaper than the market, the compliance budget is usually the first thing they cut.

The 7-question buyer’s checklist

Before you add a new provider to your enrichment waterfall, ask these seven questions. If the answers are vague, the risk is yours.

1. Ask for the certificate, not the badge. Anyone can put a logo on a website. Ask for the actual summary report or certificate of registration.
2. Distinguish security certs from privacy certs. If you ask about GDPR and they hand you a SOC 2 report, they are showing you their lock while ignoring the contents of the room.
3. Check the scope. Does the certification cover the actual data product and database, or just the company’s internal corporate IT?
4. Ask about the data collection method. Is it real-time scraping (which is nearly impossible to audit for consent) or a proprietary database with a documented notification loop?
5. Ask when the last audit was completed. Compliance isn’t a one-time event; if the audit wasn’t recent, the practices have likely drifted.
6. Check if there is an in-house privacy & compliance team, and what their qualifications are. If a data broker is using an external DPO, it means a lack of internal controls.
7. Confirm that the data broker can send you a notice in accordance with Article 19 of the GDPR, notifying you about opt-outs.

The bottom line

Don’t take “GDPR compliant” at face value. 

Ask any provider: “Can you provide the independent audit report that verifies your data collection practices?” If the answer is a link to a privacy policy, they don’t own the standard they’re claiming.

Keep reading: 

• Why compliance-first AI data powers RevOps success
• Compliance won’t kill your hustle: How to drive aggressive growth and maintain data standards