ISAE 3000 GDPR Statement
An ISAE 3000 GDPR statement is the conclusion of an audit, in which we assess whether your company complies with the data processor agreements entered and the Data Protection Regulation (GDPR)
In addition to being a requirement of your company's clients, the ISAE 3000 GDPR statement sends a signal that your company takes IT security seriously. This can positively affect partners and potential clients as well as be a strong competitive parameter.
Today, many public institutions and companies require their suppliers to have a statement of the company's GDPR compliance. This is also a tendency that is being seen more often in the private sector.
It can be expensive not to have control of the company's data processing. In the worst case, it can result in fines of up to 4% of the company's annual turnover.
How does Baker Tilly prepare the auditor's statement?
To prepare the ISAE 3000 GDPR statement, we collect the relevant documentation and hold interviews with key employees who can give us insight into processes and business processes where personal data is processed.
We provide a work plan stating what the requirements are for the documentation, which at the same time provides an overview of which areas can be strengthened.
Our review includes an assessment of all areas of the Data Protection Regulation, including:
- Logging of access and use of personal information
- Security, both physically (computers, servers, etc.) and software (antivirus, firewalls, etc.)
- Review of instructions and compliance with these
- Protection of personal data
- The right to be forgotten
What is GDPR?
All companies that process personal data are covered by the Data Protection Regulation, which entered into force on 25 May 2018.
Personal data of any kind is data that can be attributed to a particular person. Sensitive personal data is data about race and ethnic origin, political beliefs, religious or philosophical beliefs, trade union affiliations, genetic data, biometric data, health data and sexual orientation.
The company is therefore included if, e.g.:
- some employees receive a salary
- clients include private individuals
The Data Protection Regulation is about the processing of personal data, both in the form of data protection and the proper handling of this data.
Do you need an ISAE 3000 or ISAE 3402 statement?
Baker Tilly can assist you and your company with a review of your data processor agreement as well as the different types of statements.