In the global governance landscape — including risk, audit, and compliance functions — change is pervasive and continuous, making oversight and management of change critical to an organization's governance model. There is perhaps no better example than the ongoing upheaval, questions, and transformation occurring in the European Union (EU) in regard to data protection regulations. Following the finalization of the General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, legal challenges and a stream of questions began immediately. While these events may seem removed from daily concern for U.S.-based organizations, the GDPR is required to operate in the EU/European Economic Area and can no longer be a casual function for organizations.
The GDPR focuses on personal data and, specifically, the right to privacy — that is any information relating to the data subject, who can be identified, directly or indirectly, by reference to an identification number or to one or more specific factors, such as: name, birth date, gender, address, phone number, resume or talent information, national identifiers, or bank account or credit card numbers. These broad considerations require analysis by compliance and audit professionals to ensure risks are identified and addressed and control points captured.
Both data controllers and data processors have specific obligations under the new regulation. The data controller is the organization that controls access to and processing of personal information; the data controller determines the purposes and means of the processing of personal data. The data processor is the natural or legal person, public authority, agency, or any other body, including service providers, that processes personal data on behalf of the controller.
While core elements of the regulation are based on prior requirements such as fairness, transparency, purpose limitation, data minimization, quality, security, and confidentiality, the new regulation introduces the accountability principle, providing a direct requirement for oversight and governance of the privacy program.
The changes incorporated into the new regulations require focus, analysis, investment, and incorporation of privacy governance into an organization's governance model, including the audit universe and plan. Review and assessment of these structures should be part of the ongoing audit plan.
Extraterritoriality Effect The GDPR regulations were designed to extend beyond the EU and do not exclude organizations based on size or corporate jurisdiction. Even businesses without a geographical presence in the EU may fall under the scope of the regulation. This can be triggered simply by providing goods or services to EU citizens or by allowing individuals to create user online accounts or profiles that can then be tracked and monitored. EU-based organizations must comply with the regulation based on their jurisdiction. Internal audit should coordinate with compliance and privacy professionals to ensure the new requirements are understood and assessed.
Data Mapping and Privacy Impact Assessments Under-standing the scope and associated obligations is critical in establishing any governance program. The GDPR considers the activities of data mapping — identification and classification of information assets — and a privacy impact assessment. The results of these activities will guide the remaining program structure and assessment activities. Auditors should coordinate with the compliance or privacy team to ensure these key scoping steps are completed. They provide the foundation for the privacy program assessment as well as key inputs into overall audit universe and risk assessment activities, and thus should be incorporated into audit planning and testing programs.
Contract Management Contractual partnerships and organizations also are in scope for considering the impact to privacy, as often these entities touch, handle, or transfer data. Through an established contract management process, an organization can identify, assess, and respond to data protection obligations across entities. Processes should consider both client contracts, which may require use of standard contractual clauses for cross-border transfers, and vendor and supplier contracts. Within vendor and supplier contracts, companies must ensure obligations are extended to the partner organizations. Internal audit should review contract management procedures with legal and procurement teams to ensure processes are in place to extend and monitor compliance with obligations.
Notice and Consent Obligations Specific obligations for notice and consent may vary based on an organization's service offering and client interactions. The GDPR requires specific, informed, unambiguous, and in some cases explicit consent to process personal data. Audit should review these processes to ensure both internal associate and client data is maintained and used in accordance with the notice and consent structures in place, or that necessary modifications are made.
Operational Considerations Organizations also must consider storage and movement of personal data within their systems, especially if data is being transferred to or accessed from a non-EU country. A "cross-border transfer" considers both actual data movements and access to the data from outside the originating jurisdiction. Collecting, recording, accessing, using, storing, retrieving, or reading data outside the originating jurisdiction constitutes a transfer. Auditors should incorporate into annual test plans both access-based and process-based control tests to ensure data transfers are managed correctly.
Data Security Considerations While obligations for appropriate technical and organizational measures continue to apply as established by prior regulations, the GDPR includes enhanced breach notification obligations. As such, organizations must ensure their incident response policies and procedures align with the requirements. Review of both incident response and overall security controls should be included in audit's annual plan to ensure a timely response is possible and, if not, that adjustments are made.
These steps can set a course toward governance structures aligned with the data protection regulations. Repercussions of noncompliance are high, with impact to core operations and fines potentially reaching 2 percent to 4 percent of global revenues. Internal audit is key in enhancing ongoing compliance.
As the global privacy landscape changes, organizations must establish both privacy governance structures and a regulatory change management process. This includes defining ownership, refining assessments to incorporate new and changed requirements, and continuing to enhance internal plans and programs. Change must be part of the governance model for privacy and data protection, and auditors should review these structures to confirm appropriateness.