A data “Controller” is liable, in essence, for any data protection irregularity perpetrated by any of its data “Processors”, irrespective of whatever audits that the Controller conducted, or reassurances received.
Anyone who stores personal data is a controller, and anyone who has access to it is a processor, such as external payroll company, HR software hosting organisation, Legal counsel, etc.
If however, the Controller ensures that the Processor is audited against ISO 27701, the liability passes to the third party auditors, and away from the Controller.
It is stated in the General Data Protection Regulation (EU) 2016/679, Article 28:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
A further supporting observation is made in Recital: 81
The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.
The UK Data Protection Act 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK, for example by providing exemptions.