As a processor, your clients are likely considered ‘controllers’ under the EU and UK GDPR. Borneo assists with audits ranging from initial GAP analysis, general GDPR audits, and even ISO 27001:2022 compliance. In this scenario, your Data Processing Agreement [DPA] likely has a clause that allows your client to audit the processing you conduct on behalf of them to ensure there are no data protection issues. In order to ensure a successful audit, you need to be aware of a few vital areas:
Scope of audit & team composition
Ensure that you are prepared to discuss the processing that applies to this audit. You do not necessarily need to prepare information for all processing activities if you are being audited by a controller; only what is required under this audit. With this in mind, you should compose an audit team that ensures knowledge of the specific processing activity[/ies] under the DPA, covering operational and technical aspects.
Visitor management
Ensure that a proper visitor management procedure is in place. This can include things like a welcome at the door, documentation of arrival and leaving times, escorting while present in the office, etc. You should also ensure that the room the auditor will work in is cleared for examination purposes with no data protection issues. This can include things like having a clean desk, clear screen, emptied waste paper bins, etc.
Documentation
Prepare all relevant documentation (paper or digital), including the DPA in question, the processor record of processing activities, the DPAs and SCCs concluded with subprocessors, the Technical and Organisation Measures (TOMs) registry, any certificates or audit reports relevant to you or your subprocessors, any related Data Transfer Impact Assessment[s], employee confidentiality clauses, data protection training records, and policies & deletion/management concepts related to the processing in question.
Presentation of DPA-related processing and systems/applications used
Prepare a brief presentation of the processing carried out under the DPA in question, including if possible a clear data flow diagram illustrating the data processed by systems, tools and applications used in order to explain the processing conducted under the DPA to the auditor, if necessary. Also, prepare a brief illustration of the DPA-relevant systems, tools, and applications as well as their respective privacy and security settings.
Contractually-agreed TOMs
Prepare an overview of the TOMs contractually guaranteed in the DPA you have with the controller/client, whereby you can identify ich systems, tools, and applications related to the TOMs. This should indicate how you implement the security measures and any vulnerabilities that may exist to indicate your awareness and breadth of risk management. It is best to transparently display any vulnerabilities to give the auditor a sense of honesty.
If you need more information about this topic contact us. We’ll be happy to advise you!
