What a lot of organizations unfortunately still don’t realize is their legal obligation to audit their vendors under the GDPR. The GDPR distinguishes two direct parties: the controller and the processor.
The controller decides (controls) the scope, nature, etc, and level of security for the protection of their personal data.
The processor processes the personal data on behalf of the controller. The processor may not process the personal data given by the controller for any other reason than what they agreed upon.
Agreement between parties
You must have a legal binding agreement between processor and controller.
The agreement must mention:
- the subject-matter
- duration of the processing
- the nature and purpose of the processing
- the type of personal data
- categories of data subjects
- the obligations and rights of the controller.
That contract or other legal act shall stipulate, in particular, that the processor makes available to the controller:
- all information necessary to demonstrate compliance with the obligations
- allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
What does it mean for you as Controller?
The GDPR requires you to prove your compliance with the GDPR – your accountability. If you hand-over work to your employees, you must make sure they’re properly trained for instance and that they have safe software to use, etc. The same accountability applies to your processors. You are ultimately responsible for what happens with the personal data that was give to you by the data subjects. So it’s up to you to make sure the processor complies with the requirements of the agreement: we call this ‘vendor auditing’. You and your processor/vendor will have to have a legal binding agreement. In that agreement you must mention to what standard you hold them, i.e. what technical and organizational measures they must take and how and when you should be informed of data breachces etc. In order to CYA you must make sure this is put in writing.
What does it mean for you as Processor?
When you’re a processor you should be aware that you are legally required to allow the controller to audit you and you should know that you should contribute to these audits with relevant information, when asked. Of course this all needs to be proportional and reasonable. If you would like to know what proportional and reasonable means in your situation, please contact me.
How often should you audit your vendors?
There are no legal set frequencies that one must audit vendors, but as in the other types of audit, a good measure would be to audit your vendors yearly. Obviously it depends on many variables such as the duration of the agreement, the perhaps very sensitive data, etc. Please contact me if you need advice.
- Do you need help creating a vendor agreement (also known as a processor or prossessing agreement)?
- Do you need help checking your existing vendor agreements?
- Do you need to audit your vendors or would you like to be audited yourself?
Want to learn more about the GDPR? Sign up now for the 60 Day Privacy & Risk Challenge! (starts February 3rd 2020)