A Data Processor Security Assessment is often used to determine the information security risks associated with contracting with a third party data processor. Organisations must ensure that personal data remains secure regardless of if data is processed internally or by a separate data processor.  Where a data processor is engaged it is important that the data controller can be assured that the personal data remains secure. 

A data controller can gain this assurance through the contract with the data processor and if required further assurance can be gained from a security assessment.

A data protection security assessment will request that the data processor provided further detail regarding the technical and organisational measures that it employs in the processing of the personal data.  The assessment would be completed by the data processor and assessed by appropriate roles within the data controller, such as a technical manager, Data Protection Officer and department manager. Whilst a security assessment is not mandatory in all instances, they are highly recommended where the data processing may be considered high risk, such as when a Data Protection Impact Assessment is completed.

Any risks being identified should be addressed in order that the processing can continue to take place.