How secure is your data?
You and your supplier are responsible for security. That’s why we have created a list of 10 GDPR questions you must demand answers to.
Most of your data is handled externally
Many companies manage their data outside the company. This could be, for example, by outsourcing payroll administration, bookkeeping, or using certain cloud-based apps and programs. This means that data is handled externally in various ways. When working with data, there is always a risk of a data breach. Whether you or your supplier are affected by a breach or error, it is your responsibility to ensure that security is in place.
Three reasons to choose a supplier with an ISAE declaration:
You get an independent auditor’s assessment of your supplier’s GDPR compliance and IT security level.
You save time by not having to review the supplier’s processes. This provides peace of mind, and you gain secure knowledge about the supplier’s GDPR and IT security measures.
The supplier’s procedures are thoroughly documented in publicly accessible reports.
By choosing a supplier with ISAE declarations, you obtain documentation for data processing and security, verified by independent auditors. This not only gives you peace of mind but also saves time. However, it’s essential to remember that IT security should never be neglected, regardless of whether your supplier has ISAE declarations. But what should you ask to ensure your supplier complies with GDPR? We have compiled the most important questions you can ask to ensure your supplier is on top of GDPR compliance, security procedures, and IT systems.
Ten questions to ask your supplier to assess their security level:
1. How can you prove that you handle sensitive data correctly?
Both you and your suppliers share the responsibility of handling employee and customer data. It’s crucial that you ensure this data is managed correctly. Therefore, it’s important to request documentation from your supplier that demonstrates their compliance with GDPR rules.
2. What security goals have you implemented?
Ask what objectives and controls your supplier has established for data security and IT infrastructure. A control objective might be a process for handling GDPR-related incidents or a clear and transparent understanding of which systems handle which data – especially personal data. A significant part of ISAE 3000 is setting up a series of documented control objectives, which are audited by a specialist.
3. When did you last review your IT compliance?
It would help to ask your supplier how often they review and update their IT policies and security. Companies frequently add new programs, IT tools, or apps, which should be reflected in their processes and documentation. Unlike ISO 2700X certifications, which do not require ongoing renewal, ISAE 3402 and ISAE 3000 undergo annual audits. If your supplier has an ISO certification, remember to ask when it was last updated.
“IT security can feel like a heavy burden, and it may be tempting to cut corners. But before you do, consider the consequences – the cost of ignoring compliance can be far higher than the cost of complying.”
– Christian Wadskov
System Administrator, CapaSystems
4. Do you regularly audit both your processes and physical security?
How often do you visit your supplier? Perhaps they are located in another country? An ISAE 3000 declaration includes a physical review of the security.
5. Which procedures do you have for handling sensitive data?
Before implementing a new system in your company, you need to know the full process of how your supplier handles your, your customers’, or your employees’ data. It’s a legal requirement for all companies in Europe to comply with GDPR rules, so ensure your supplier can document how they adhere to these requirements.
6. What do you do in the event of a security breach?
It’s crucial to inquire about how your supplier handles security breaches and whether they have a standardized and documented procedure. Remember, if someone unauthorized gains access to your data, the supplier must promptly inform you. An ISAE 3000 declaration ensures that such procedures are in place and are regularly audited.
7. Which data do you handle?
You likely have a good idea of which data your supplier should handle, but it’s essential that the supplier can document which data they are processing. This also applies if the supplier uses subcontractors. With an ISAE 3000 declaration, you get a clear overview of the data processed, so you don’t have to investigate it yourself.
8. What risks have you identified regarding the handling of my data?
To be prepared, it’s a good idea to get a detailed description of the risks your supplier has identified in connection with data processing. With ISAE 3000, you can be confident that an independent auditor has audited and approved data-related processes and procedures.
9. How do you ensure the collaboration between your IT security and GDPR obligations?
Many companies are good at describing how they comply with GDPR rules, but it’s equally important that IT security – including systems, infrastructure, and processes – works together with GDPR measures. Without solid IT security, GDPR measures have no effect.
10. How do you document that IT security in your company is constantly evolving and improving?
You want to work with a supplier where IT security is an integrated part of the business and not just a buzzword. One requirement of ISAE 3000 is internal training in IT security and data processing. Ask your supplier what they do to ensure their employees see IT security and GDPR as a natural part of their daily work.
CapaSystems and ISAE 3000
At CapaSystems, it is our responsibility as a service provider to ensure that our customers do not take on unnecessary risks by entrusting parts of their business and data to us. Therefore, we work in close partnership with a certified auditor to achieve and maintain the ISAE 3000 declaration as part of our annual work with compliance and information security.
Share the ten questions with your supplier
We have gathered the ten questions here, so you can easily copy and send them to both new and existing suppliers. This way, you can ensure that you get the necessary answers that will help you maintain GDPR compliance.
1. How do you document that you handle sensitive personal data correctly?
2. What control objectives do you have in place?
3. When did you last review your IT compliance?
4. Do you regularly audit both processes, procedures, and physical security?
5. What procedures do you have for handling sensitive personal data?
6. What is your procedure in the event of a security breach?
7. What data do you handle?
8. What risks have you identified regarding the handling of my data?
9. How do you ensure that your IT security and GDPR measures work together?
10. How do you document that IT security in your company is continuously improving?