MIcompany revises compliance procedures based on ISAE 3402
Type II and GDPR

As a service organisation, we recognise the importance of being compliant and of having internal control measures which we have set up and implemented and which we execute continuously. Each year, we compose a Service Organisation Report which is checked by an independent auditor using the ISAE 3402 assurance standard. Furthermore, we train and test all employees each year by organising a compliance exam, which is implemented as an escape game. In this game all compliance-related steps in a project are tested. Lastly, we have an internal audit during the summer to test if our internal processes are still compliant.

However, the ISAE 3402 Type II report needs to be renewed every year, and the new European privacy regulation (GDPR) will come into effect the 25th of May, 2018. Therefore, MIcompany successfully checked and improved its compliance procedures: the ISAE 3402 Type II audit was passed without deviations, and compliance procedures have been altered to suit GDPR regulations.

Last month, an independent auditor from AuditConnect visited our office for a multi-day audit to renew our ISAE 3402 Type II report. This report concerns our internal control measures which are relevant to the internal control of the entities that make use of the report, with relation to their financial reporting. The auditor concluded that the report offers assurance that our internal control measures have been set up properly, and they have been implemented correctly during 2017: not a single deviation was reported. The report is available upon request for our clients and their accountants.

Besides the internal control measures, our processes have been updated to comply with the GDPR, which will become effective at May 25th, 2018. As a data processor we have worked on updating our internal processes, as well as renewing all data processing agreements and preparing Privacy Impact Assessments for all necessary projects. Furthermore, all source data with personal data is registered. Our security levels haven’t been changed, since they were already on the highest level.