Have you ever read a Data Processing Agreement (DPA)? I mean, read through one instead of just forwarding the document to legal/compliance or trusting them to draft one?
The legal and technical terms used in a DPA are a barrier to outsiders, not because they are unable to understand it, it is just because it’s too boring and too much of a hassle. It’s easier to pass it along to the specialists and say that they will let you know if there is something important you need to know. After all, that is their job.
However, DPAs contain important information that every entrepreneur must be aware of. Today we are going to talk about one of these, the right to audit.
According to Article 28, 3, (h), a processor has to make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by it.
What does that mean for your company?
If you are a Controller, you must take advantage of that right to make sure that your service providers are GDPR compliant and that trusting them with your client’s data will not result in a data breach or any other major headache in the future.
Additionally, if you are a Processor, it means you must be apt to be audited at any time by your Controller. Therefore, you must have all your documents meeting the DPA requirements. And ready to go when you get a request like this. Non-compliance is not an option. Non-compliance means a breach of contract, and no one wants that, am I right?
How does this reflect in your DPA?
While the GDPR only mentions a general right to audit, this is what is standard for big SaaS companies (Data Processors):
The Controller must cover all audit costs;
Audits can be done by the Controller itself or by an authorized and trustworthy third-party;
A written request shall be forward to the Processor;
Within a reasonable amount of time (between 14 to 30 days before the audit)
Confidentiality is required;
A copy of the most recent audit reports or certifications is provided to the Controller;
A few companies also offer the option of an on-site audit, as long as the Controller reimburse the Processor for any time spent at their HQ or their Sub-processors (professional service rates);
The audit scope must cover only relevant information to the protection of personal data undertaken for the Services obtained;
The audit can only be done once per calendar year.
Meanwhile, this is what is considered good practices for a Data Processor:
Audit your company at least once a year, using, preferably an independent third-party;
Get as many certifications as you can (ISO 27001, etc.);
Be organized: create a folder with all audit and compliance documents a Customer may require. That will save you a lot of time and trouble;
Answer all reasonable questions made by your Customer in a reasonable amount of time;
Do not create impediments to the Customer right to audit: only ask for reimbursement if absolutely necessary, try not to limit how many times they can request audits or follow-ups, and avoid being too picky about their choice for independent auditors;
Be actually compliant with Data Privacy legislation.
Do not let the right to audit become a liability to your business. Prevention is always the safest (and less costly) path.
Want to learn more about how data privacy applies to your company? Get in touch with us today!