Processor audit – how to check if the processor complies with GDPR?

On a daily basis, we entrust data to various companies – business partners, service providers, marketing agencies, accounting firms, and others. These are processors, who process personal data on behalf of the data controller. Regulating the terms of cooperation between the controller and the processor is one of the key elements of the data protection system. To ensure that the cooperation complies with the General Data Protection Regulation (GDPR), it is necessary not only to properly draft the data processing agreement but also to regularly conduct processor audits.

Since May 25, 2018, every organization processing personal data (both data controllers and processors) must comply with the requirements of the GDPR. Implementing GDPR itself can be quite costly and time-consuming. Additionally, there is the risk that the entity entrusted with the data may not follow the terms of cooperation and may not comply with the obligations imposed by GDPR. In practice, almost every organization entrusts personal data to its suppliers – such as HR, payroll, marketing, or training companies. All these suppliers are processors.

How can their activities be monitored? Signing data processing agreements with data processors is only the first step towards GDPR compliance. The second and necessary step is continuous monitoring, i.e., processor audits. This is crucial because the responsibility for ensuring that the actions of the processors comply with GDPR rests jointly with both data controllers and subcontractors.

Processor and data controller

To begin with, a few introductory words. A processor is, in other words, an entity that processes personal data on behalf of the data controller. It is important to distinguish between a processor and a data controller. The fact that an entity processes personal data does not automatically mean that it is also a data controller. Determining whether an entity is a controller or a processor is necessary in order to define their responsibilities.

A data controller (Article 3 of the GDPR) is a natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of processing personal data. On the other hand, a processor (Article 4, point 8 of the GDPR) is an entity that processes personal data on behalf of the controller.

The General Data Protection Regulation (GDPR) imposes an obligation on the data controller to maintain a record of processing activities. The controller is responsible and has the decision-making authority regarding the purposes and means of processing the data. In practice, it is the data controller who decides what data is collected, for what purpose, how long it will be processed, and whether it will be processed independently or in collaboration with external entities. For example, the data controller could be an employer who employs an employee; it could also be a person or entity running an online store that collects and processes customer data.

lider

In the case of a processor, we are referring more to the activities they undertake on the instructions of the data controller, carrying out tasks or objectives specified by the controller. A processor can be a natural or legal person, a public authority, agency, or another entity. The processor receives information on how to process the data but may – based on their experience and specialization – suggest the best tools for this purpose, such as software.

Examples of activities entrusted by the data controller to the processor include document storage services, external HR and payroll services, accounting services, document destruction, IT services, or training services.

How to audit a processor?

The provisions of the GDPR clearly indicate that the data controller is responsible for the correct and secure processing of personal data, both by themselves and by the entity to which they have entrusted such a service (the processor). Therefore, it is the responsibility of the data controller to check whether the processor is complying with the GDPR regulations and the terms specified in the agreement. This is where processor audits come into play. It is important to note that the regulation does not explicitly state that audits are mandatory, but this is considered good practice.

Processor audits are an important verification service, without which data controllers may expose themselves to criminal and financial liability, not to mention the risk of violating the rights and freedoms of data subjects. All of this could lead to serious consequences for the data controller. Therefore, even before signing an agreement with a processor, it is worth checking whether they follow GDPR-compliant practices and whether they can be trusted. Furthermore, audits should be conducted systematically after the agreement is signed and throughout its duration, to ensure that the processor is fulfilling their duties. It is advisable to specify in the agreement that the processor is required to undergo an audit.

What does a processor audit include?

A compliance audit of data processors with GDPR regulations involves verifying the solutions used by the processor. Both legal and factual aspects are examined. The result of such an audit is a report that specifies, among other things, the percentage of compliance of the processor with the GDPR, along with recommendations for the data controller regarding the level of risk associated with continuing to entrust the processing of personal data to this organization under the GDPR.

The data controller can check virtually every aspect related to the processing of entrusted personal data, such as the legality of the software used, IT security measures, data subject rights, or internal security regulations.

The processor audit aims to provide answers, among others, to the following questions:

Has the processor appointed a Data Protection Officer?

Has the processor implemented the required technical and organizational measures, e.g., maintaining a record of processing activities and a record of processing categories?

Have the individuals involved in processing been required to maintain confidentiality?

Has the processor implemented mechanisms and procedures that allow for the immediate reporting of personal data breaches?

Are the data not being transferred by the processor to third countries?

Has the processor implemented the required technical and organizational measures, e.g., maintaining a record of processing activities and a record of processing categories?

Have the individuals involved in processing been obligated to maintain confidentiality?

Are the data not being transferred by the processor to third countries?

Has the processor implemented mechanisms and procedures that enable the immediate reporting of personal data breaches?

Has the processor appointed a Data Protection Officer?

It is worth noting that compared to the early days of the implementation of the GDPR, companies are now more aware. Just as administrators previously did not know that auditing the processor was their responsibility, it is now becoming an increasingly common practice to conduct audits even at subprocessors. Additionally, the GDPR does not regulate how often an audit should be conducted, but optimally, it should be performed at least once a year.

How to effectively audit a processor?

Whether we are a data controller or a processor, auditing requires preparation and knowledge of how to conduct it. Fortunately, we don’t have to rely on our own resources. The GDPR regulation allows for the use of specialized external services – one such company is PBSG. At the request of the data controller, we can verify whether the company entrusted with the data complies with GDPR requirements.

How does this work in practice? We begin each project with preparation and planning. Personal data protection is a sensitive issue, as is the processor audit, which may feel stressed by external control. We ensure the comfort of both parties – our consultants are always available, and we keep them informed about the ongoing stages of the process. Our main goal is a reliable and professional partnership, the result of which will be the security of entrusted personal data, as well as peace of mind in case of a GDPR audit.

Read more about how the audit works: Processor audits within the framework of personal data security.

Audit – what does it look like from the perspective of the data controller and the processor?

Data controllers can count on us to approach the matter professionally. Our goal is to confirm the compliance of data processing or to identify any non-compliance in the processing of personal data by the processor, both in terms of GDPR requirements and the data processing agreement. Finally, we provide recommendations regarding the continuation of cooperation with the processor and suggestions for any potential changes.

Benefits for the data controller:

  • Confidence that operations are conducted in compliance with GDPR
  • Minimization of the risk associated with transferring data to unreliable external entities
  • Activity in this area is well-regarded during inspections by the supervisory authority or internal audits

Our services are also available to processors or subprocessors who want to check whether they meet the requirements of the GDPR. In this case, we provide representation during the data controller’s audit. We ensure that the audit conducted by the data controller is carried out properly and in accordance with the agreement. We will also analyze the audit report, and if any non-compliance is identified, we will prepare appropriate recommendations, including the possibility of renegotiating the data processing agreement.

Remember, the execution of the audit obligation does not have to be a burden for either the data controller or the data processing entity. It also does not have to be a lengthy process for both parties. One of the advantages is the option of a remote audit – using questionnaires, audit checklists, and document analysis. With specialized consultants, a GDPR compliance audit will be stress-free for both parties, and its result may strengthen the partnership and the reputation of trustworthy partners.

Check the training courses
Training

NIS2 training for boards of directors

Learn more
Training

DORA: Fundamentals, Risk Management, and Organizational Preparation

Learn more
Training

Training on the requirements of the NIS2 Directive

Learn more
Read, watch, subscribe
Guide

KSC for hospitals, or how to ensure security and protection against cyberattacks

Read more
Guide

AI Act – What is the Artificial Intelligence Act and who does it apply to? Key information.

Read more
Guide

ESG Reporting – Who Does It Apply To and Is It Mandatory?

Read more