What do we need to consider and prepare for an on-premise data protection audit from our Controller?

As a processor, your clients are likely considered ‘controllers’ under the EU and UK GDPR. Borneo assists with audits ranging from initial GAP analysis, general GDPR audits, and even ISO 27001:2022 compliance. In this scenario, your Data Processing Agreement [DPA] likely has a clause that allows your client to audit the processing you conduct on behalf of them to ensure there are no data protection issues. In order to ensure a successful audit, you need to be aware of a few vital areas:

Scope of audit & team composition

Ensure that you are prepared to discuss the processing that applies to this audit. You do not necessarily need to prepare information for all processing activities if you are being audited by a controller; only what is required under this audit. With this in mind, you should compose an audit team that ensures knowledge of the specific processing activity[/ies] under the DPA, covering operational and technical aspects.

Visitor management

Ensure that a proper visitor management procedure is in place. This can include things like a welcome at the door, documentation of arrival and leaving times, escorting while present in the office, etc. You should also ensure that the room the auditor will work in is cleared for examination purposes with no data protection issues. This can include things like having a clean desk, clear screen, emptied waste paper bins, etc. 


Prepare all relevant documentation (paper or digital), including the DPA in question, the processor record of processing activities, the DPAs and SCCs concluded with subprocessors, the Technical and Organisation Measures (TOMs) registry, any certificates or audit reports relevant to you or your subprocessors, any related Data Transfer Impact Assessment[s], employee confidentiality clauses, data protection training records, and policies & deletion/management concepts related to the processing in question.

Presentation of DPA-related processing and systems/applications used

Prepare a brief presentation of the processing carried out under the DPA in question, including if possible a clear data flow diagram illustrating the data processed by systems, tools and applications used in order to explain the processing conducted under the DPA to the auditor, if necessary. Also, prepare a brief illustration of the DPA-relevant systems, tools, and applications as well as their respective privacy and security settings.

Contractually-agreed TOMs

Prepare an overview of the TOMs contractually guaranteed in the DPA you have with the controller/client, whereby you can identify ich systems, tools, and applications related to the TOMs. This should indicate how you implement the security measures and any vulnerabilities that may exist to indicate your awareness and breadth of risk management. It is best to transparently display any vulnerabilities to give the auditor a sense of honesty.

If you need more information about this topic contact us. We’ll be happy to advise you!

Share this article


We will have to keep an eye out for it since it’s possible that in due course we may have a specific explanation. However, the GDPR’s Recital 91 states: “Those which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and are likely to involve a high risk, for example, due to their sensitivity, where, depending on the level of technical expertise achieved, new technology has been used on a large scale and other processing operations which involve a high risk to the rights and freedoms of data subjects, in particular where these operations make it more difficult for data subjects to exercise their rights”.

Created by:

Picture of Borneo


Related articles



Subscribe to our legal newsletter and you will be the first to receive our new blog articles, webinar information, ebooks, and more.

Free Webinars