Audit of a new or existing personal data processor—checklist

Copyright © 2025 LexisNexis
Produced in partnership with Sanjana Sura of Bird & Bird and Ruth Boardman of Bird & Bird
Checklists

Audit of a new or existing personal data processor—checklist

Copyright © 2025 LexisNexis

Produced in partnership with Sanjana Sura of Bird & Bird and Ruth Boardman of Bird & Bird

Checklists
imgtext

This Checklist sets out key considerations a controller should typically take into account when conducting an audit for the purposes of evaluating the suitability of a prospective or existing processor of personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR).

For further information about controllers’ obligations and engaging processors under the UK GDPR regime, see Practice Notes:

  1. The UK General Data Protection Regulation (UK GDPR)

  2. Key definitions under UK data protection law

  3. Supply chains under data protection law—arrangements between controllers and processors

Audits of processors

Although processors subject to the UK GDPR have their own particular responsibilities under the legislation, controllers remain responsible for the processor’s processing of personal data under their instructions.

Under:

  1. the accountability principle of the UK GDPR: the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles set out in Article 5(1) of the UK GDPR (which includes the lawfulness, fairness and

Sanjana Sura
Sanjana Sura

Senior Associate, Bird & Bird

I am a senior associate in Bird & Bird’s Privacy & Data Protection Group in London with significant experience in the data protection and privacy space.

I advise our international and UK clients on anything related to GDPR and e-privacy.
Examples of the work I do include drafting privacy and cookies policies, drafting and negotiating processor and joint controller agreements, providing advice on how to handle data subject rights, assessing direct marketing strategies, providing advice on employee monitoring programmes, drafting data retention policies and structuring international data transfer arrangements (including Binding Corporate Rules). With all of the recent and upcoming changes, it is fair to say no two days as a data protection and privacy lawyer are the same.
Before joining Bird & Bird, I was an associate at a magic circle law firm. I have spent significant time on secondment at a number of different organisations in different sectors, including an investment bank, a media company and a telecommunications company.

Read moreRead more
Ruth Boardman
Ruth Boardman

Partner, Bird & Bird

Ruth jointly heads Bird & Bird's International Privacy and Data Protection Group.

Her extensive experience includes advising a broad range of public and private sector organisations on information law matters. She has in-depth industry experience on advising on privacy issues relating to online providers, communications services, financial services and health.

Ruth is the co-author of Data Protection Strategy (Sweet & Maxwell), published in Summer of 2019, which is a guide to the GDPR and UK legislation and has edited the Encyclopaedia of Data Protection (also Sweet & Maxwell) and is on the editorial board of Data Leader. She is a Board Member of the International Association of Privacy Professionals, having previously served on the IAPP's research and European boards.  Ruth also assists the Global Alliance for Genomics and Health, where she is a member of the Regulatory and Legal Group.

Read moreRead more
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Related legal acts:

Popular documents

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal fees, will that count as a PET against their estate?A disclaimer is the refusal of a gift prior to acceptance. The refusal of the gift must take place before the beneficiary accepts any benefit

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a

Glossary—Latin legal terms

Glossary—Latin legal termsDespite attempts in recent years to simplify the language used in legal cases, there are still a number of Latin phrases commonly used in personal injury claims. The following Latin phrases are listed in alphabetical order:Latin