Processing personal data is by no means always something you do alone as a Controller. Other parties or service providers are often called in to process personal data on behalf of the responsible party. The parties with whom personal data is exchanged in this way are referred to in the GDPR as Processors.
A so-called processor's agreement must be concluded with Processors. This is an agreement in which agreements are made with regard to the processing(s) that the Processor will carry out on behalf of the Controller. If all goes well, this agreement should include information about the personal data involved in the processing and the security measures that the Processor must take to protect the personal data, but also, for example, the retention periods.
However, it is not advisable to conclude a processor's agreement and then not looking at it for years. As the party responsible for processing, you are also responsible and liable on behalf of the Processors you engage. Therefore, if something goes wrong at a Processor that processes personal data on behalf of your organisation (for example a data breach), then data subjects whose personal data have been affected by this error can also hold you liable as the Controller.
To prevent such a mistake from being made, it is therefore important to keep a finger on the pulse of the Processors you work with. To this end, an audit authority is often included in the processor's agreement. Such an audit authorisation entitles a Controller to carry out periodic checks at the Processor's premises, so that it can be established that the Processor does his work neatly and in accordance with the GDPR. However, such an audit costs a lot of time and often also a lot of money.
An alternative can be found in privacy management software. By registering all Processors with whom a processor's agreement has been concluded, it is possible to ask questions automatically and at fixed moments about the current state of affairs that are regulated in a processor's agreement. By arranging this from software, an overview is automatically created which can show that efforts are indeed being made to keep an eye on Processors.
Of course, this does not completely take away the responsibility of the Controller. If a Processor refuses to cooperate in such a digital audit, steps will have to be taken to obtain the necessary information. In addition, there will have to be a certain degree of control over the answers given by a Processor. However, this does not alter the fact that automating checks on Processors can result in considerable time and money savings.
Are you curious what the above can look like in practice? Then ask for a demo of Privacy Nexus! With Privacy Nexus it becomes possible to get a grip on your processor's agreements and their compliance in a simple way.