Your (often unused) power to audit data processors

Contained deep within the GDPR is a hidden power often underutilised by data controllers. Article 28(3)(h) compels data processors to make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The obligations laid down in Article 28 that processors must adhere to, and which controllers can examine, include the following:

• processing only on the documented instructions of the controller;
• obtaining a commitment of confidentiality from anyone the processor allows to process the personal data;
• putting in place appropriate technical and organisational measures to ensure the security of processing; and
• only engaging with another processor (a sub-processor) with the controller’s prior specific or general written authorisation.

On top of these requirements, the outcome from the recent ‘Schrems II’ case has also confirmed the need for controllers to work with their processors in order to determine whether a third country’s laws sufficiently protect personal data that is being transferred to them, thus enabling or disenabling the use of Standard Contractual Clauses as an appropriate transfer mechanism under Chapter 5 of the GDPR. If no such protections are identified, then appropriate safeguards or security measures should be put in place to protect the personal data being transferred (akin to point 3 above).

With all of this in mind, it is evident that controllers will need to audit or inspect what their processors are doing during the course of their contractual agreement with them. Simply signing a Data Processing Agreement and ignoring it would not be acceptable. This often results in difficult negotiations. How do you approach your processor to start the inspection process? Who should facilitate it? Can you force them to change something if it is not compliant? The UK’s Information Commissioner’s Office (ICO) provides rather limited advice in relation to this and the relevant guidance on their website seems to imply that the processor has the option to either provide the information or submit to an audit“ of course, if the controller never starts the conversation to begin with, then nothing will happen.

In practice, a range different approaches are being adopted. Some businesses are explicitly stating in their Data Processing Agreements the dates on which an audit will be carried out and the scope of any proposed inspection, whilst others stipulate that evidence will only be provided when it is necessary to do so and in some cases“ after the controller has paid a fee. If we consider the Danish Data Protection Agency’s template data processing agreement approved by the European Data Protection Board (EDPB) as ‘best practice’“ then we can see that sections 7 and 8 within Appendix C contain rather detailed provisions to enable the controller to engage in planned and unplanned audits, physical inspections and the power to request the processor to adopt additional measures to ensure compliance if findings fall short of expectations.

Of course, a ‘one size fits all’ approach does not always work in the real world, particularly if your data processor is a trillion-dollar business like Amazon or Microsoft. It is unlikely that these companies would want their customers wandering through their data centres and, indeed, this is reflected in how they do business by preferring the option of self-audits and issuing confidential reports to their data controllers instead. Whether this is compliant with Article 28(3)(h) is questionable but it does reflect more accurately the imbalance of power many controllers and processors have.

Nevertheless, scrutiny is important“ irrespective of who is on the receiving end. Below is a summary of the types of checks that controllers should perform as well as things to consider when conducting an audit:

Article 28(3)(h) is often forgotten but its importance should not be ignored. Organisations are required to demonstrate accountability“ this means evidencing compliance on an ongoing basis. Relationships with your vendors and data processors is one such element of compliance and without proper inspection of their security measures and the way they process personal data, the possibility of breaches and incidents increases.

Xcina Consulting has the knowledge and expertise to help you to audit your processors and sub-processors. We apply a robust methodology and incorporate the use of a Third Party Management Framework to ensure they are meeting their obligations.