Audit means the inspection or examination of the processor’s activities and its facilities to ensure GDPR compliance.
Art. 28(3)(h) GDPR state that the terms of the audit always should be regulated in the data processing agreement between the controller and the processor.
When executing an audit, the controller should be able to confirm that the data are being processed in a compliant way. Essential questions that a processor always should be able to answer could be:
- What data are collected?
- Where are the data stored?
- How is the data being protected and documented?
- How long is the data stored?
- What are the processes for requests from a data subject regarding their rights?