10 questions about GDPR and IT security you supplier must be able to answer
In 2018, the EU introduced GDPR (“General Data Protection Regulation”), and ever since, IT security has been a top priority for all companies.
You’re responsible for the security together with your suppliers
Most companies now realise that it’s not enough for themselves to master data policies, systems and security procedures. You also need to make certain that your partners and suppliers have their own standards, policies and procedures in place for their IT security.
Most of your data are processed externally
Most companies have data that are processed externally. It might be the outsourcing of salary management or bookkeeping or certain apps or programs that are accessed through the cloud. This means that data are processed in one way or the other. And with this, as always when you work with data, there’s a risk of a data breach. And no matter if a breach or accident happens for you or the supplier, you’re responsible for the security.
That's why more and more companies now choose to have their work with GDPR and IT security reviewed and documented by independent auditors.
3 reasons to select a supplier with ISAE declarations
- You get an independent auditor’s approval of your supplier’s GDPR compliance and general IT security level
- The supplier’s processes are documented in detail in reports publicly available
- You save time because you don’t need to control a supplier’s processes. It offers security and you know the real status of your supplier’s work related to GDPR and IT security
The benefit of choosing a supplier with ISAE declarations is that you get documentation for data processing and security, and the documentation is controlled by independent auditors. It offers security and you save time.
But no matter if you select a supplier with ISAE declarations or not, you must never down-prioritise IT security.
But which questions do you need to ask to make sure your supplier is GDPR compliant?
We’ve gathered the essential questions for you, so you can make sure your supplier is GDPR compliant and has safety procedures and IT systems.
10 things you need to ask you supplier to assess their security level
1. How do you document that you process sensitive personal data correctly?
Employee data, customer data, etc. are typically processed both by you and your suppliers. But your company is responsible for the correct processing of data. Therefore, you need to ask your supplier for documentation to prove they’re GDPR compliant.
2. Which control targets do you have in place?
Make sure to ask which control targets your supplier has in place related to data security and IT infrastructure. A control target could e.g. be a process for managing GDPR incidents, or adequate knowledge about which systems manage which data, especially personal data.
A significant part of ISAE 3402 is to set up a number of documented control targets that are controlled by a specialised auditor.
3. When did you last assess your IT compliance?
Ask your supplier how often they revise, validate and update their IT policy and security. Companies often purchase new programs, IT tools or apps, and that must be reflected in the processes and documentation. Det er ikke nok, at en leverandør har lavet en IT-politik tilbage i 2018, da GDPR blev indført. It must be updated all the time.
Unlike the ISO 2700X certifications, the control of ISAE 3402 and ISAE 3000 is performed every year. An ISO 2700X certification doesn’t need renewal, but shows that the conditions were met at the time of the certification. So, if your supplier has an ISO certification, ask when it was done.
You might think that IT security is cumbersome or expensive. And demands are high. But if you worry about the costs of being compliant, imagine what it might cost you if you’re not and the chips are down.
4. Do you revise both processes and procedures and physical and logistical security?
How often do you visit your supplier? Maybe they’re placed completely or partially in a different country? An ISAE 3402 declaration includes a physical audit of the security.
5. What is your procedure for processing sensitive personal data?
Before you implement a new system in your company, you need to know the entire process for how your supplier processes your, your customers’ or your employees’ data. In Europe, all companies are governed by the same rules related to GDPR. You need to be aware of the documentation of how the company lives up to these rules.
6. What is your procedure in case of a security breach?
Ask how the supplier manages a security breach. And note if they have a standardised and documented process.
Are your data accessed by someone without permission, your supplier is obligated to inform you. With an ISAE 3000 declaration, you’re guaranteed this will happen. The reason is that companies who obtain an ISAE declaration set up procedures that are revised regularly.
7. Which data do you process?
You probably have an idea about which data your supplier should process. But make sure your supplier can document the data they process. Also if your supplier used sub-suppliers or partners.
With an ISAE 3000 declaration, you can see an exact overview of which data are processed. And then you don’t need to investigate it yourself.
8. Which risks have you covered in connection to the processing of my data?
It’s always good to be prepared. So before you enter into a cooperation with a new supplier, you need to ask for a thorough description of the risk they have listed related to their data processing.
With ISAE 3402 you are sure that processes and procedures related to data are controlled and approved by an independent specialist.
9. How do you ensure the collaboration between your IT security and GDPR obligations?
Many companies are relatively good at describing how they comply with the GDPR rules. But it’s as important that the IT security, e.g. systems, infrastructure and processes, work with your GDPR measures, and that the IT security is as well-documented as the GDPR policy.
Without IT security, GDPR measures have no value. If you want to be on the safe side, look for a supplier with both an ISAE 3000 and an ISAE 3402 declaration.
10. How do you document that the IT security in your company mature and improve constantly?
You’d like to know that you have a supplier, where security is not just a buzzword, but an integrated part of the organisation. A demand as part of ISAE 3402 is internal education related to IT security, data processing, etc. Ask your supplier what they do to make sure that employees also think about IT security and GDPR as part of their daily work routines.
TimeLog and ISAE 3000 and ISAE 3402
At TimeLog, we believe that we as a service provider must ensure our customers that they don’t take any extra risks by giving us the responsibility for parts of their business and data. Therefore, we’re committed to work with a certified auditor to obtain both the ISAE 3000 GDPR and ISAE 3402 declarations as a continuous, yearly target in our compliance and information security work.
Curious to see examples of what the two declarations contain and see our reports?
Share the 10 questions with your supplier
Finally, we’ve collected the 10 questions here, so you can easily copy them and send them to new or existing suppliers to make sure you receive satisfactory answers to support your GDPR compliance.
- How do you document that you process sensitive personal data correctly?
- Which control targets do you have in place?
- When did you last assess your IT compliance?
- Do you revise both processes and procedures and physical and logistical security?
- What is your procedure for processing sensitive personal data?
- What is your procedure in case of a security breach?
- Which data do you process?
- Which risks have you covered in connection to the processing of my data?
- How do you ensure the collaboration between your IT security and GDPR obligations?
- How do you document that the IT security in your company mature and improve constantly?