Public outcry about the growing severity of data breaches has led to enhanced regulations around the world to protect consumers' personal information. The most prominent of these data privacy regulations is the European Union's (EU's) General Data Protection Regulation (GDPR). Other regulations, like California's Consumer Privacy Act of 2018, are modelled after GDPR.
These data privacy laws can increase compliance risk for organizations and disrupt business operations. Besides businesses that reside within the EU borders, GDPR applies to non-EU organizations that do business with EU residents. Organizations in violation of GDPR may face increased fines and penalties of $20 million or 4 percent of annual worldwide revenue, whichever is greater, for each incident. The law shortens the interval for notifying victims of a breach to within 72 hours after discovery.
Additionally, data privacy regulations such as GDPR prescribe requirements such as having written information security programs, policies and procedures, and compliance with a security program. New regulations also could impact organizations' long-term planning by forcing them to change current or future business approaches. Opportunities abound for internal audit to add value to ensure the organization complies with data privacy regulations.
With only 72 hours to notify victims after a data breach is discovered, organizations subject to GDPR need an established and tested incident response plan to ensure notifications occur succinctly and timely. The plan should ensure all third-party contractual data breach notifications are aligned. In auditing the plan, internal audit should:
- Review the current incident response plan and policy to ensure it contains GDPR's 72-hour notification provision.
- Observe or participate in periodic tests of the incident response plan to ensure people are aware of their roles and that notification will occur timely. Also, interview participants to validate the plan and role awareness.
- Review third-party contracts to ensure they outline breach notification timelines that will allow the organization to report a breach, if applicable, within the 72-hour requirement.
- Validate that third-party reporting is incorporated into the incident response plan and testing.
Choice of Consent
GDPR allows EU residents to choose whether and how organizations can use their personal data. The organization's legal team should provide guidance about when consents must occur. This requires the organization to document and maintain consents. Internal audit should:
- Perform a walk-through of the process to review for any potential control improvements or efficiency opportunities.
- Test the consent process by entering a consent to see whether the system has logged and retained it.
- Obtain customer records sent to third-party vendors and compare them to the consent-tracking system to validate that consumers consented to having their records sent to the third party.
- Review audit trails to ensure they cannot be altered.
Internal Auditor article,
"GDPR and Internal Audit," discusses the main aspects of GDPR compliance. Author Jan Hertzberg advises internal auditors to include independent assessments and compliance testing in their audit plans. Hertzberg says these activities can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Moreover, they can identify opportunities to audit common processes across departments.
Under GDPR, organizations must not retain customer data longer than required for its intended purpose. Data is either stored online or backed up. Backups can be performed online or offline on removable media such as tapes. As a best practice, the organization's retention policies should document the time period in which it retains customer data and comply with respective data privacy regulations.
Data removal should be documented and tracked to show compliance. Removing data from online sources can be done easily using a database query. Removing data from offline storage can be a more tedious process, depending on the backup model used and rotation plan.
For tape storage, this may require removing the record from full and incremental backups, including those for data file restoration and full disk backup for disaster recovery planning. Additionally, retaining a large number of previous backups could lead to a somewhat cumbersome process in which the organization would need to recall and remove each record on each tape.
In reviewing data retention practices, internal audit should:
- Perform a walk-through of the process to look for potential control improvements or efficiency opportunities.
- Select a sample from the tracking system of deleted customer records and query the production system and active online backups to validate that the customer records were removed.
- Select a sample of offline tape backups and review whether the customer records were removed.
- Compare data retention policy requirements to the tracking system to ensure data was removed as stipulated.
- Validate whether the current data retention policy complies with associated data regulations.
Third-party Vendor Management
GDPR requires organizations to gather third-party guarantees for compliance along with proof of compliance. These guarantees usually are included in contractual provisions along with provisions for overall vendor monitoring and oversight processes. Steps internal audit should take include:
- Performing a walk-through of the process to discover potential control improvements or efficiency opportunities.
- Reviewing a sample of third-party contracts to validate whether GDPR contract provisions exist. Also note any other contract provisions that allow for monitoring of the vendor's control environment. Such provisions could include the right to audit, third-party assessments, or other service-level reporting that demonstrates compliance.
- Testing a sample of contractual requirements to ensure there is supporting evidence of monitoring activities.
- Participating in the organization's testing of the third-party vendor's controls, if there is a right to audit. Note this could be an opportunity for internal audit to add value by performing select GDPR third-party vendor audits.
Overall, internal audit's assurance activities should align with the respective online data privacy policies. These assurance activities may include:
- Conducting a walk-through of processes used to provide customers stated rights for any potential control improvements or efficiency opportunities.
- Testing to ensure processes for each stated security requirement are appropriate. For example, if the security policy mandates that customer data be encrypted, then internal audit testing would include validating that the data is encrypted both online and offline (backups). In addition, internal audit would observe and test the security controls of the encryption keys.
Cross-border Data Transfers
Cross-border data transfer regulations may prohibit data transfers or require specific data protections. Many governments are implementing cooperative agreements to permit data transfer while still appropriately protecting individual privacy. Two examples of cross-border data transfer agreements are the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System and the Privacy Shield negotiated between the EU and U.S.
Organizations should remain abreast of current developments to ensure compliance with data transfer requirements. Internal audit must understand the requirements of these intergovernmental agreements and ensure compliance with each requirement.
Policy and Procedure Management
Formal policies and procedures are the heart of any security or data privacy program. Effective policies and procedures receive enterprisewide buy-in.
As a best practice, annual acknowledgement and training ensures policies and procedures are communicated and understood. Internal audit assurance activities should focus on ensuring compliance with these policies and procedures and determining whether there are appropriate processes to maintain them.
Knowing what data is collected, its location, and how it is used is paramount to ensuring data privacy compliance. This includes understanding what specific data is transferred to third parties and how they use the data.
Organizations usually have a data policy that categorizes types of data and provides guidance on the manner in which each type of data should be secured. They should formally define a data management program to ensure they maintain a data inventory and comply with existing policies and procedures. Internal audit tests should include:
- Performing a walk-through of processes to manage data for any potential control improvements or efficiency opportunities.
- Testing to ensure the organization adheres to data retention requirements.
- Testing to ensure appropriate security is in place as stated in the organization's data policy.
- Testing to ensure data inventory is maintained.
- Assessing management's formal risk assessment processes.
Ensuring Sound Security
Internal audit should remain abreast of current data privacy requirements that affect the organization. This includes serving as consultants for management to implement appropriate compliance measures and posting audit assurance activities.
The annual audit planning efforts should include audits that will allow validation of current data privacy compliance. This is especially necessary with organizations facing the risk of increased fines and penalties as well as a heightened potential for lawsuits by victims of data breaches. In this environment, internal audit can help ensure the organization has sound and prudent security practices.