first off, this is me talking for myself, not my employer…
GDPR has become quite an issue, particularly around audits. First we need to understand what is considered personal data; I work on the basis that anything that can identify a user or computer (client or server) that is used by a single user is covered. So thats email addresses, user login IDs, user real names, computer names, IP addresses, MAC addresses etc. Even if any of these are masked individually, that is still very likely to be considered to be personal data. Data that can identify multi user servers is generally not considered personal data.
In general, for service providers, the customer is the data controller, we service providers are data processors and as long as everyone understands the obligations and risks here its pretty manageable.
For audits involving 2 parties (ie Customer and vendor), the situation is a bit more complicated, but again manageable. The vendor can see all data collected, can act as a controller in its own right etc.
Where it can get complicated is in cases with 3rd party auditors. If the auditor will agree to be a processor on the customer’s behalf, this isn’t too bad, but where we see people getting bogged down is where the vendor is the data controller, and auditor is data processor on their behalf. As the vendor will only see the final report, not the collected data, it is pretty much impossible for them to fulfil their obligations under GDPR; particularly around fulfiling data access requests/ privacy notifications etc.