Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

Navigating Privacy in a Sea of Change​

New data protection regulations require thoughtful analysis and incorporation into the organization’s governance model.

Comments Views

​In the global governance landscape — including risk, audit, and compliance functions — change is pervasive and continuous, making oversight and management of change critical to an organization's governance model. There is perhaps no better example than the ongoing upheaval, questions, and transformation occurring in the European Union (EU) in regard to data protection regulations. Following the finalization of the General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, legal challenges and a stream of questions began immediately. While these events may seem removed from daily concern for U.S.-based organizations, the GDPR is required to operate in the EU/European Economic Area and can no longer be a casual function for organizations.

The GDPR focuses on personal data and, specifically, the right to privacy — that is any information relating to the data subject, who can be identified, directly or indirectly, by reference to an identification number or to one or more specific factors, such as: name, birth date, gender, address, phone number, resume or talent information, national identifiers, or bank account or credit card numbers. These broad considerations require analysis by compliance and audit professionals to ensure risks are identified and addressed and control points captured.

Both data controllers and data processors have specific obligations under the new regulation. The data controller is the organization that controls access to and processing of personal information; the data controller determines the purposes and means of the processing of personal data. The data processor is the natural or legal person, public authority, agency, or any other body, including service providers, that processes personal data on behalf of the controller.

While core elements of the regulation are based on prior requirements such as fairness, transparency, purpose limitation, data minimization, quality, security, and confidentiality, the new regulation introduces the accountability principle, providing a direct requirement for oversight and governance of the privacy program.

The changes incorporated into the new regulations require focus, analysis, investment, and incorporation of privacy governance into an organization's governance model, including the audit universe and plan. Review and assessment of these structures should be part of the ongoing audit plan.

Extraterritoriality Effect The GDPR regulations were designed to extend beyond the EU and do not exclude organizations based on size or corporate jurisdiction. Even businesses without a geographical presence in the EU may fall under the scope of the regulation. This can be triggered simply by providing goods or services to EU citizens or by allowing individuals to create user online accounts or profiles that can then be tracked and monitored. EU-based organizations must comply with the regulation based on their jurisdiction. Internal audit should coordinate with compliance and privacy professionals to ensure the new requirements are understood and assessed.

Program Governance and Policy Management Organizations must identify the privacy/data protection program owner and name a data privacy officer. This owner must be aligned organizationally to allow for oversight of the many departments required to participate. Given the extensive requirements associated with the GDPR, full compliance cannot be achieved through disparate or disconnected efforts. Further, application of organizationwide policies, procedures, controls, and monitoring will help ensure consistent alignment of data protection requirements across locations and operations. Privacy program reviews should consider applicable policy updates to ensure specific consideration is given to the regulation within the company's privacy policy. In addition, given the cross-functional reach of privacy requirements, auditors should ensure updates are considered within other functional policies such as software development (e.g., privacy by design considerations) and human resources (e.g., employee data management practices).

Data Mapping and Privacy Impact Assessments Under-standing the scope and associated obligations is critical in establishing any governance program. The GDPR considers the activities of data mapping — identification and classification of information assets — and a privacy impact assessment. The results of these activities will guide the remaining program structure and assessment activities. Auditors should coordinate with the compliance or privacy team to ensure these key scoping steps are completed. They provide the foundation for the privacy program assessment as well as key inputs into overall audit universe and risk assessment activities, and thus should be incorporated into audit planning and testing programs.

Contract Management Contractual partnerships and organizations also are in scope for considering the impact to privacy, as often these entities touch, handle, or transfer data. Through an established contract management process, an organization can identify, assess, and respond to data protection obligations across entities. Processes should consider both client contracts, which may require use of standard contractual clauses for cross-border transfers, and vendor and supplier contracts. Within vendor and supplier contracts, companies must ensure obligations are extended to the partner organizations. Internal audit should review contract management procedures with legal and procurement teams to ensure processes are in place to extend and monitor compliance with obligations.

Notice and Consent Obligations Specific obligations for notice and consent may vary based on an organization's service offering and client interactions. The GDPR requires specific, informed, unambiguous, and in some cases explicit consent to process personal data. Audit should review these processes to ensure both internal associate and client data is maintained and used in accordance with the notice and consent structures in place, or that necessary modifications are made.

Operational Considerations Organizations also must consider storage and movement of personal data within their systems, especially if data is being transferred to or accessed from a non-EU country. A "cross-border transfer" considers both actual data movements and access to the data from outside the originating jurisdiction. Collecting, recording, accessing, using, storing, retrieving, or reading data outside the originating jurisdiction constitutes a transfer. Auditors should incorporate into annual test plans both access-based and process-based control tests to ensure data transfers are managed correctly.

Data Security Considerations While obligations for appropriate technical and organizational measures continue to apply as established by prior regulations, the GDPR includes enhanced breach notification obligations. As such, organizations must ensure their incident response policies and procedures align with the requirements. Review of both incident response and overall security controls should be included in audit's annual plan to ensure a timely response is possible and, if not, that adjustments are made.

These steps can set a course toward governance structures aligned with the data protection regulations. Repercussions of noncompliance are high, with impact to core operations and fines potentially reaching 2 percent to 4 percent of global revenues. Internal audit is key in enhancing ongoing compliance.

As the global privacy landscape changes, organizations must establish both privacy governance structures and a regulatory change management process. This includes defining ownership, refining assessments to incorporate new and changed requirements, and continuing to enhance internal plans and programs. Change must be part of the governance model for privacy and data protection, and auditors should review these structures to confirm appropriateness.

Melissa Ryan
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Melissa RyanMelissa Ryan <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; } </style> <p>Melissa Ryan, CRMA, CISA, leads risk, compliance, and security services at Asureti in Lenexa, Kan.​</p>


Comment on this article

comments powered by Disqus
  • Gleim-cia-changes-webinar_June 18-30_PRemium 1
  • SCCE 2018 June 19-30_Premium 2
  • IIA CIALS-CIA-Learning_June 2018_Premium 3