Assuring the quality of data processing

Once in operation, the quality of the service needs to be assured. The data protection programme should include activities that provide this assurance, such as:

• Auditing the activities
• Auditing of processors and sub-processors
• Impact of changes in the external environment

The data controller designed the service to minimize the risks to the rights and freedoms of the data subjects and meet any obligations arising from the rights of the data subject.

The audit examines how the service operates to ensure compliance with the design.

For outsourced processing the data controller has a responsibility to ensure that the processor is following the contract.

Plan the assurance tasks on a risk basis. This approach ensures that the processing with the most significant risk to the rights and freedoms of data subjects (whether internal or outsourced), are subject to the most rigorous inspection programme.

Audits may also be an opportunity to identify improvement activities and adjust the ratings of associated risks.