Most companies have data that are processed externally. It might be outsourcing salary management bookkeeping or certain apps or programs accessed through the cloud. This means that data are processed in one way or the other. And with this, as always, when you work with data, there’s a risk of a data breach. And no matter if a breach or accident happens for you or the supplier, you’re responsible for the security.
That's why more and more companies now choose to have their work with GDPR and IT security reviewed and documented by independent auditors.
The benefit of choosing a supplier with ISAE declarations is that you get data processing and security documentation, and independent auditors control the documentation. It offers security, and you save time.
But no matter if you select a supplier with ISAE declarations or not, you must never down-prioritise IT security.
But which questions must you ask to ensure your supplier is GDPR compliant?
We’ve gathered the essential questions for you so you can make sure your supplier is GDPR-compliant and has safety procedures and IT systems.
Employee data, customer data, etc., are typically processed by you and your suppliers. But your company is responsible for the correct processing of data. Therefore, you must ask your supplier for documentation to prove they’re GDPR compliant.
Make sure to ask which control targets your supplier has in place regarding data security and IT infrastructure. A control target could, e.g. be a process for managing GDPR incidents or adequate knowledge about which systems manage which data, especially personal data.
A significant part of ISAE 3402 is to set up several documented control targets controlled by a specialised auditor.
Ask your supplier how often they revise, validate and update their IT policy and security. Companies often purchase new programs, IT tools or apps, which must be reflected in the processes and documentation.
Unlike the ISO 2700X certifications, ISAE 3402 and ISAE 3000 control is performed annually. An ISO 2700X certification doesn’t need renewal but shows that the conditions were met at the time of the certification. So, if your supplier has an ISO certification, ask when it was done.
How often do you visit your supplier? Maybe they’re placed entirely or partially in a different country? An ISAE 3402 declaration includes a physical audit of the security.
Before you implement a new system in your company, you need to know the entire process for how your supplier processes your, your customers’ or your employees’ data. In Europe, all companies are governed by the same rules related to GDPR. You need to be aware of the documentation of how the company lives up to these rules.
Ask how the supplier manages a security breach. And note if they have a standardised and documented process.
If someone without permission accesses your data, your supplier must inform you. With an ISAE 3000 declaration, you’re guaranteed this will happen. The reason is that companies who obtain an ISAE declaration set up revised procedures regularly.
You probably have an idea about which data your supplier should process. But make sure your supplier can document the data they process. Also if your supplier used sub-suppliers or partners.
With an ISAE 3000 declaration, you can see an exact overview of which data are processed. And then you don’t need to investigate it yourself.
It’s always good to be prepared. So before you cooperate with a new supplier, you need to ask for a thorough description of the risk they have listed related to their data processing.
With ISAE 3402, you are sure that processes and procedures related to data are controlled and approved by an independent specialist.
Many companies are relatively good at describing how they comply with the GDPR rules. But it’s as essential that the IT security, e.g. systems, infrastructure and processes, work with your GDPR measures and that the IT security is as well-documented as the GDPR policy.
Without IT security, GDPR measures have no value. If you want to be safe, look for a supplier with an ISAE 3000 and an ISAE 3402 declaration.
You’d like to know that you have a supplier where security is not just a buzzword but an integrated part of the organisation. A demand as part of ISAE 3402 is internal education related to IT security, data processing, etc. Ask your supplier what they do to ensure employees think about IT security and GDPR as part of their daily work routines.
At TimeLog, as a service provider, we must ensure our customers don’t take any extra risks by giving us the responsibility for parts of their business and data. Therefore, we’re committed to working with a certified auditor to obtain the ISAE 3000 GDPR and ISAE 3402 declarations as a continuous, yearly target in compliance and information security work.
This is how we protect your data and keep high-security protocols.
Share the ten questions with your supplier.
Finally, we’ve collected the ten questions here so you can easily copy them and send them to new or existing suppliers to ensure you receive satisfactory answers to support your GDPR compliance.