PRIV- 26 – Subprocessors Inventory

Estimated reading: 3 minutes 622 views

What is this control about?

Implementing the control ‘Subprocessors Inventory’ is crucial for ensuring data security and compliance with data protection regulations. A subprocessor is a third-party vendor or service provider engaged by a data processor to handle personal data on behalf of the data controller. The Subprocessors Inventory control involves maintaining a comprehensive list of all subprocessors that have access to or process personal data on behalf of the organization.

Available tools in the marketplace

  • No tools recommendation

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

Control implementation

Here are some guidelines to implement a Subprocessor Inventory:

  • Create a Subprocessors Register: Develop a centralized and comprehensive register to document all subprocessors engaged by the organization. The register should include essential details such as subprocessor names, contact information, location, data processing activities, and the type of personal data involved.
  • Assign Responsibility: Designate a responsible team or individual within the organization to manage the subprocessors register and update it regularly. This person or team will be responsible for tracking changes in subprocessors and ensuring the accuracy and completeness of the information.
  • Review Existing Contracts: Review all existing contracts with subprocessors to assess their compliance with data protection requirements. Ensure that appropriate data protection clauses, security measures, and data processing terms are included in the contracts.
  • Conduct Risk Assessments: Assess the risks associated with each subprocessor based on their data processing activities and the type of personal data involved. Consider factors such as data sensitivity, the volume of data processed, security measures, and geographical location.
  • Obtain Necessary Approvals: Obtain necessary approvals from relevant stakeholders, such as the Data Protection Officer (DPO) or legal department, for engaging new subprocessors or making changes to existing ones.
  • Monitor and Update: Regularly monitor the performance and compliance of subprocessors. Update the subprocessors register whenever there are changes in subprocessors or their data processing activities.
  • Implement Data Protection Agreements: Ensure that appropriate Data Protection Agreements (DPAs) are in place with all subprocessors. These agreements should outline the subprocessor’s responsibilities, data protection obligations, security measures, and requirements for data breaches and incident reporting.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  • Provide your Subprocessors Register

Evidence example

For the suggested action, an example is provided below:

  • Provide your Subprocessors Register

The following screenshot shows an automated registrar in TrustCloud.
Review the vendor page in TrustCloud to ensure that it is accurate and includes all vendors. Use the tagging functionality to identify your subprocessors.

VNDR 1screenshot1


Join the conversation