Audit of a new or existing personal data processor—checklist

Copyright © 2025 LexisNexis
Produced in partnership with Sanjana Sura of Bird & Bird and Ruth Boardman of Bird & Bird
Checklists

Audit of a new or existing personal data processor—checklist

Copyright © 2025 LexisNexis

Produced in partnership with Sanjana Sura of Bird & Bird and Ruth Boardman of Bird & Bird

Checklists
imgtext

This Checklist sets out key considerations a controller should typically take into account when conducting an audit for the purposes of evaluating the suitability of a prospective or existing processor of personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR).

For further information about controllers’ obligations and engaging processors under the UK GDPR regime, see Practice Notes:

  1. The UK General Data Protection Regulation (UK GDPR)

  2. Key definitions under UK data protection law

  3. Supply chains under data protection law—arrangements between controllers and processors

Audits of processors

Although processors subject to the UK GDPR have their own particular responsibilities under the legislation, controllers remain responsible for the processor’s processing of personal data under their instructions.

Under:

  1. the accountability principle of the UK GDPR: the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles set out in Article 5(1) of the UK GDPR (which includes the lawfulness, fairness and

Sanjana Sura
Sanjana Sura

Senior Associate, Bird & Bird

I am a senior associate in Bird & Bird’s Privacy & Data Protection Group in London with significant experience in the data protection and privacy space.

I advise our international and UK clients on anything related to GDPR and e-privacy.
Examples of the work I do include drafting privacy and cookies policies, drafting and negotiating processor and joint controller agreements, providing advice on how to handle data subject rights, assessing direct marketing strategies, providing advice on employee monitoring programmes, drafting data retention policies and structuring international data transfer arrangements (including Binding Corporate Rules). With all of the recent and upcoming changes, it is fair to say no two days as a data protection and privacy lawyer are the same.
Before joining Bird & Bird, I was an associate at a magic circle law firm. I have spent significant time on secondment at a number of different organisations in different sectors, including an investment bank, a media company and a telecommunications company.

Read moreRead more
Ruth Boardman
Ruth Boardman

Partner, Bird & Bird

Ruth jointly heads Bird & Bird's International Privacy and Data Protection Group.

Her extensive experience includes advising a broad range of public and private sector organisations on information law matters. She has in-depth industry experience on advising on privacy issues relating to online providers, communications services, financial services and health.

Ruth is the co-author of Data Protection Strategy (Sweet & Maxwell), published in Summer of 2019, which is a guide to the GDPR and UK legislation and has edited the Encyclopaedia of Data Protection (also Sweet & Maxwell) and is on the editorial board of Data Leader. She is a Board Member of the International Association of Privacy Professionals, having previously served on the IAPP's research and European boards.  Ruth also assists the Global Alliance for Genomics and Health, where she is a member of the Regulatory and Legal Group.

Read moreRead more
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Related legal acts:

Popular documents

What are the differences between joint controllers and controllers in common under the GDPR? What is the

What are the differences between joint controllers and controllers in common under the GDPR? What is the difference in liability if a party is a joint controller with another, compared to where the parties are controllers in common?(1) What are the differences between joint controllers and

List of data protection clauses and agreements for commercial transactions and personal data processing

List of data protection clauses and agreements for commercial transactions and personal data processing and sharingSTOP PRESS—Impact of the Retained EU Law (Revocation and Reform) Act 2023: This document contains references to retained EU law (REUL) and associated terms introduced by the European

Is someone’s voice personal identifiable information under GDPR? If someone is to do a voice over for

Is someone’s voice personal identifiable information under GDPR? If someone is to do a voice over for content of some training for a business, would a consent form be needed?Is someone’s voice personal identifiable information under GDPR?A voice recording is likely, in almost all circumstances, to

Micklefield clauses

Micklefield clausesWhat is a Micklefield clause?It is common for employee share plans to provide that, on termination of employment (or when an employee is given or receives notice of termination of employment), subsisting share awards will be forfeited and subsisting share options will lapse.It is