First of all, you need to identify which data processors you use: Which other companies process personal data on your behalf? Once you have mapped these, you must have a data processing agreement with each one.
Audit depends on the risk
You must audit your data processors to ensure, as best as possible, that the personal data you are responsible for does not fall into the wrong hands. The greater the potential harm from the processor’s handling of data, the stricter the auditing requirements. This can depend on the volume of data, the level of confidentiality, and the nature of the processing.
Note that the risk assessment is not about your business, but about the individuals whose data is being processed. How likely is it that something could go wrong—and what would the consequences be for the individuals if it did?
A risk-based point system
To make auditing easier, the Danish Data Protection Agency has developed a simple point scale with six corresponding audit concepts. The points indicate the risk level of the processing: the higher the risk, the more points—and the stricter the auditing requirements. There are four main parameters you must consider:
A. How many individuals are covered by the data?
The more people affected, the greater the risk, and the harder it may be to clean up data and comply with deletion deadlines.
B. Does the data include special categories of personal data?
These are clearly defined in GDPR Article 9 and include data on racial or ethnic origin, political, religious, or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or sexual orientation.
C. Are there other types of sensitive personal data?
These are data that may require special protection. You must assess whether an ordinary citizen would find it uncomfortable if such information became known to others. Examples include information about major social problems, national ID numbers, protected names and addresses, exam results, disciplinary measures, personality tests, suicide attempts, long-term unemployment, etc.
D. How are you or your processor using the data?
If the data is used for profiling customers or mapping and influencing customer behavior, it may be more intrusive. Again, assess whether an ordinary citizen would find it uncomfortable if others gained access to the information.
Audit Concepts by the Danish Data Protection Agency
Depending on the total points, you can choose between different audit concepts.
You can switch between concepts, combine two or more, or apply a higher level if the processor does not meet the basic requirements of the chosen concept. Regardless, all data processing agreements must comply with the minimum requirements of the GDPR.
Concept 1: You don’t need to do anything
If you use a reliable and trustworthy processor, you can typically rely on them to comply with the agreement. Only if you become aware of problems do you need to act.
Concept 2: The processor confirms compliance
A trustworthy processor may simply provide you with a written confirmation that all requirements in the agreement are continuously met.
Concept 3: The processor provides an annual status
The processor can issue a written status update (directly or on their website) regarding compliance and note relevant changes, such as organizational or product-related adjustments. The report must cover all processing carried out on your behalf and include disclosure of any security breaches.
Concept 4: The processor has a certification or adheres to a code of conduct
If the processor holds a relevant and up-to-date certification or complies with a relevant code of conduct, they may document this in writing. Ensure that all contractual requirements are covered, including special requirements. Any breaches of data security must also be disclosed.
Concept 5: An independent third party has conducted an audit
If an independent third party (e.g., an industry association or authority) has conducted a documented audit covering your processing activities, you may rely on their declaration. Further details are provided in the Agency’s guidance.
Concept 6: You conduct your own documented audit
Depending on the risk assessment (for the data subjects), you may carry out your own audits of your processors to the extent necessary to minimize risks. This could, for example, be done by sending a written questionnaire.
For all concepts, you should monitor your processor through press coverage, audit reports, or personal experience. Always save your correspondence with them.
What should you audit?
The data processing agreement is the basis for auditing. It must include requirements such as the processor signing a confidentiality agreement and implementing appropriate technical and organizational security measures.
It must also state that the processor cannot use sub-processors without your approval—and if they do, the same obligations must apply. While the processor is responsible for auditing their sub-processors, you are responsible for ensuring they actually do so.
The processor must also assist you in handling data subject requests and in the event of data breaches, including timely notification and reporting. Finally, the processor must delete or return all personal data at the end of the collaboration and provide all necessary documentation.
How often should you audit?
The higher the score, the more intensive the audit. In high-risk cases, annual audits may be necessary, while in lower-risk cases, less frequent audits may suffice.
It may be wise to conduct more frequent audits if the processor struggles to comply with agreements, has had several serious security breaches, frequently changes sub-processors, or undergoes ownership changes, mergers, acquisitions, or major strategic shifts.
On the other hand, long-term positive experience with a processor can justify less frequent audits.
You can download the Danish Data Protection Agency’s guidance, which is available on their website.
