Organisations must ensure that personal data remains secure regardless of if data is processed internally or by a separate data processor. Where a data processor is engaged it is important that the data controller can be assured that the personal data remains secure.
A data controller can gain this assurance through the contract with the data processor and if required further assurance can be gained from a security assessment.
A data protection security assessment will request that the data processor provided further detail regarding the technical and organisational measures that it employs in the processing of the personal data. The assessment wold be completed by the data processor and assessed by appropriate roles within the data controller, such as a technical manager, DPO and department manager.
Any risks being identified should be addressed in order that the processing can continue to take place.