Audit of a new or existing personal data processor—checklist

Copyright © 2025 LexisNexis
Produced in partnership with Sanjana Sura of Bird & Bird and Ruth Boardman of Bird & Bird
Checklists

Audit of a new or existing personal data processor—checklist

Copyright © 2025 LexisNexis

Produced in partnership with Sanjana Sura of Bird & Bird and Ruth Boardman of Bird & Bird

Checklists
imgtext

This Checklist sets out key considerations a controller should typically take into account when conducting an audit for the purposes of evaluating the suitability of a prospective or existing processor of personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR).

For further information about controllers’ obligations and engaging processors under the UK GDPR regime, see Practice Notes:

  1. The UK General Data Protection Regulation (UK GDPR)

  2. Key definitions under UK data protection law

  3. Supply chains under data protection law—arrangements between controllers and processors

Audits of processors

Although processors subject to the UK GDPR have their own particular responsibilities under the legislation, controllers remain responsible for the processor’s processing of personal data under their instructions.

Under:

  1. the accountability principle of the UK GDPR: the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles set out in Article 5(1) of the UK GDPR (which includes the lawfulness, fairness and

Sanjana Sura
Sanjana Sura

Senior Associate, Bird & Bird

I am a senior associate in Bird & Bird’s Privacy & Data Protection Group in London with significant experience in the data protection and privacy space.

I advise our international and UK clients on anything related to GDPR and e-privacy.
Examples of the work I do include drafting privacy and cookies policies, drafting and negotiating processor and joint controller agreements, providing advice on how to handle data subject rights, assessing direct marketing strategies, providing advice on employee monitoring programmes, drafting data retention policies and structuring international data transfer arrangements (including Binding Corporate Rules). With all of the recent and upcoming changes, it is fair to say no two days as a data protection and privacy lawyer are the same.
Before joining Bird & Bird, I was an associate at a magic circle law firm. I have spent significant time on secondment at a number of different organisations in different sectors, including an investment bank, a media company and a telecommunications company.

Read moreRead more
Ruth Boardman
Ruth Boardman

Partner, Bird & Bird

Ruth jointly heads Bird & Bird's International Privacy and Data Protection Group.

Her extensive experience includes advising a broad range of public and private sector organisations on information law matters. She has in-depth industry experience on advising on privacy issues relating to online providers, communications services, financial services and health.

Ruth is the co-author of Data Protection Strategy (Sweet & Maxwell), published in Summer of 2019, which is a guide to the GDPR and UK legislation and has edited the Encyclopaedia of Data Protection (also Sweet & Maxwell) and is on the editorial board of Data Leader. She is a Board Member of the International Association of Privacy Professionals, having previously served on the IAPP's research and European boards.  Ruth also assists the Global Alliance for Genomics and Health, where she is a member of the Regulatory and Legal Group.

Read moreRead more
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Related legal acts:

Popular documents

The UK General Data Protection Regulation (UK GDPR)—Navigator

The UK General Data Protection Regulation (UK GDPR)—Navigator [Archived]ARCHIVED: This Practice Note is not maintained and is for background information only. This archived Practice Note i) provides navigational information on the UK GDPR and accompanying Data Protection Act 2018 and ii) briefly

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid