How to write a GDPR data processor questionnaire – with examples

Under the GDPR (General Data Protection Regulation), organisations and their suppliers can be held accountable in the event of a data breach. This is why it’s essential for data controllers to review the information security practices of data processors before agreeing to working together.

Ultimately, this will involve a supply chain audit and contractual agreements, but before you get to that stage, data controllers should give potential partners a questionnaire to complete.

The document will contain a checklist of GDPR requirements, and the data processor must confirm their compliance status.

Below, you’ll find examples of questions that you might expect to see in a questionnaire, but first, let’s take a look at the types of organisations that should be required to complete this task.

What counts as a data processor?

Organisations involved in personal data collection can be divided into two categories. The first are data controllers, who are the ones who decide to collect personal data and the reason for this.

The second group are data processors, who are responsible for overseeing the logistics of data processing. This might include determining how to store the information, ensuring that it is protected, keeping a data retention schedule and deleting information when it is no longer needed.

An organisation can be both a data controller and a data processor, but these tasks are often split. This is particularly the case if an organisation’s business is designed specifically around its data processing ability, as might be the case with an email marketing service.

In this example, an organisation acts as the data controller, deciding that it wants to advertise its products in an email campaign. It then uses an email marketing platform (a data processor) to send emails on its behalf.

Another example of a data processor is a Cloud provider that stores sensitive personal data on behalf of an organisation. In this case, the company keeps its records on the Cloud provider’s servers.

In both cases, the data controller and data processor must have a written agreement detailing how sensitive information will be protected. As such, the data processor might receive a questionnaire that gives the data controller a baseline of its GDPR compliance practices.

What you should include in your questionnaire

Here are a list of questions that might expect to see in a GDPR data processor questionnaire. The list, which is broken into three sections, is not intended to be exhaustive as there might be specific issues related to your data processing activities that you wish to address.

Because GDPR compliance can be complex, we recommend that you avoid giving data processors a simple ‘yes/no’ option. Instead, you should ask them to select on a scale how advanced their compliance practices are.

For example, you might ask if the compliance activity has been fully implemented, partially implemented or not implemented at all.

The first section of the questionnaire should cover documentation:

• Does your organisation document the information that it holds, where it comes from, who its shared with and what you do with it?
• Does your organisation have an information security policy?
• Has your organisation completed a data flow mapping exercise?

The second section of the questionnaire should cover processes and policies:

• Does your organisation have a data protection policy?
• Does your organisation have a DPO (data protection officer) or someone in a similar role?
• Has your organisation implemented appropriate technical and organisational measures to protect personal data?
• Does your organisation conduct regular staff awareness training covering the GDPR and data protection risks?
• If your organisation is based outside the EU, have you appointed an EU representative?
• Does your organisation have an incident detection system in place?
• Does your organisation have a robust system in place to complete DSARs (data subject access requests)?

The third section of the questionnaire should cover individuals’ rights:

• Does your organisation have processes to ensure that personal data remains accurate and up to date?
• Does your organisation routinely dispose of personal data when it is no longer needed?
• Is your organisation able to respond to a request for personal data in physical and digital form?

Data processor audits

The data processor questionnaire is often complemented with an on-site audit. Data controllers may choose to complete this to get a closer look at the data processor’s practices, or the data processor might perform an audit to review its own compliance status.

So whether you’re a controller or an auditor, you may benefit from DQM GRC’s Supply Chain Audit.

With this service, our team of experts will design an audit programme around the data controller’s risks and controls, and discover how effective its security mechanisms are.

You will receive a report that identifies areas of good practice and highlights deficiencies, supported by recommendations to resolve or mitigate them.