What a lot of organizations unfortunately still don’t realize is their legal obligation to audit their vendors under the GDPR. The GDPR distinguishes two direct parties: the controller and the processor.
The controller decides (controls) the scope, nature, etc, and level of security for the protection of their personal data.
The processor processes the personal data on behalf of the controller. The processor may not process the personal data given by the controller for any other reason than what they agreed upon.
You must have a legal binding agreement between processor and controller.
The agreement must mention:
That contract or other legal act shall stipulate, in particular, that the processor makes available to the controller:
The GDPR requires you to prove your compliance with the GDPR – your accountability. If you hand-over work to your employees, you must make sure they’re properly trained for instance and that they have safe software to use, etc. The same accountability applies to your processors. You are ultimately responsible for what happens with the personal data that was give to you by the data subjects. So it’s up to you to make sure the processor complies with the requirements of the agreement: we call this ‘vendor auditing’. You and your processor/vendor will have to have a legal binding agreement. In that agreement you must mention to what standard you hold them, i.e. what technical and organizational measures they must take and how and when you should be informed of data breachces etc. In order to CYA you must make sure this is put in writing.
When you’re a processor you should be aware that you are legally required to allow the controller to audit you and you should know that you should contribute to these audits with relevant information, when asked. Of course this all needs to be proportional and reasonable. If you would like to know what proportional and reasonable means in your situation, please contact me.
There are no legal set frequencies that one must audit vendors, but as in the other types of audit, a good measure would be to audit your vendors yearly. Obviously it depends on many variables such as the duration of the agreement, the perhaps very sensitive data, etc. Please contact me if you need advice.