How do regulations like GDPR address issues with protecting personal data?
Maali Europe’s General Data Protection Regulation [GDPR] pushes companies doing business with Europeans’ data to do three things well: give people control over their data, respond quickly to breaches, and embed privacy controls throughout their business. The law has changed the privacy function from a paper-based exercise of policies and contracts to a business-transformation program affecting every product and service that uses European data.
Hrubey GDPR and regulations like the California Consumer Privacy Act, Brazil’s new General Data Protection Law, and new and revised regulations in Australia, China, and Japan highlight the need for companies to get their data protection practices in order. Organizations tend to have common challenges relating to data protection, including difficulty maintaining a current inventory of personal data, failing to connect privacy notices and privacy consents to personal data, and keeping personal data longer than is necessary to complete the business purpose described. Companies also are challenged with maintaining the accuracy of personal data and responding timely to data subject access requests.
What are the consequences of failing to comply with data privacy regulations?
Hrubey Under GDPR, fines for a failure to comply — particularly with data subject consent-related requirements — can be up to €20 million ($22.5 million), or 4 percent of the organization’s global annual turnover, whichever is larger. Organizations that have a data breach-related violation can be fined up to €10 million ($11.2 million), or 2 percent of the organization’s global annual turnover, whichever is larger. Operationally, regulators also can elect to stop the flow of personal data out of the European Union (EU), unless data is going to a country deemed to have adequate data protection provisions under EU regulations — the U.S., for example, does not have that designation. Regulators also can restrict an organization’s ability to use the personal data of EU residents until remediation is made of the underlying compliance problems. And perhaps more problematic is the damage to the organization’s reputation. In a highly digitized economy, customers must be able to trust organizations with their personal data.
Maali A lot has been said about the maximum fine for an egregious violation of GDPR. But GDPR also gives European citizens a private right of action to bring lawsuits against companies for privacy violations, and courts have no limit to the penalties and awards they approve. Perhaps the biggest risk is if a regulator imposes an injunction to prevent a company from continuing to process EU personal data. This could stop a product or service overnight.
How can organizations demonstrate that they are safeguarding information?
Maali The most visible way for companies to demonstrate a high level of data-privacy maturity is to offer employees and consumers a portal where they can view, correct, and delete their data and express opt-in and opt-out privacy consents. In addition, a well-documented process for assessing, monitoring, and mitigating risk can provide confidence to key stakeholders.
Hrubey Regulators expect organizations to be able to defend the risk-based decisions they have made regarding implementation of GDPR’s requirements. On the customer side, organizations should be transparent about the safeguards they are using to protect personal data. Privacy notices should, using plain language, include a description of how the organization protects the personal data under its care and be updated when the organization adjusts the safeguards used. Organizations should take a similar approach to privacy consent language, and take care to not process personal data before obtaining the data subject’s consent. Organizations also should consider including information about their privacy program on their website.
What is audit’s role in assessing privacy governance?
Hrubey GDPR requires organizations to periodically assess compliance against the requirements. Internal audit generally is in an excellent position to make this assessment on behalf of the organization. The key to a successful privacy audit is to understand the organization’s privacy landscape and the potential risks it faces. Mindful of those risks, internal audit can leverage existing audit methodologies and follow standard internal audit methodology to understand the organization’s performance in those potential risk areas. Privacy is ever-changing, so being agile regarding the risk landscape is the best approach to the privacy audit. Privacy team members along with their legal support colleagues are responsible for determining how regulations like GDPR apply to the organization, and then ensuring that appropriate program materials are prepared. Internal audit can assess whether the organization has pulled through the policies and procedures as expected.
Maali Internal audit can play a range of roles helping a company accelerate its privacy journey. The first is to consider data privacy as a material risk for the organization to monitor. Internal audit also can advise management on the selection of a privacy control framework that is most applicable to the company’s industry. It can assess and report the company’s status against that framework, and make recommendations on which stakeholders in each line of defense are best positioned to own the remediation of the control gaps. Internal audit also is positioned to test these controls on an ongoing basis, including reporting progress to senior management and the board.
What should internal audit assess regarding third-party data privacy compliance?
Maali Internal audit can help the organization reduce third-party privacy risk in several ways. First, internal audit can ensure that management has sufficient processes to identify high-risk suppliers and perform ongoing monitoring. In addition, internal audit can ensure that sufficient protections exist within third-party contracts, including right to audit provisions. Finally, internal audit can play an important role in assessing the data privacy controls for high-risk suppliers.
Hrubey Under GDPR, third parties who are processing personal data on behalf of an organization are accountable for complying with the related regulatory requirements. This does not mean that the organization hiring a third party is off the hook. Because the hiring organization is usually operating as a controller under GDPR — the entity that determines the purposes, conditions, and means of the processing of personal data — the controller may still have liability if the instructions provided to the third party regarding processing personal data were inappropriate. Organizations should have contracts that address expectations associated with privacy and data protection. Internal audit can evaluate contract compliance.
What controls are most needed to ensure the organization complies with data privacy regulations?
Hrubey The answer depends, at least in part, on the organization’s work, its industry, and the specific personal data it processes. Generally, organizations need data privacy-related controls, including an individual responsible for determining what regulations apply and what the organization must do to comply; risk assessment processes that can pinpoint privacy and data protection-related risks; clear policies and procedures for employees to follow; periodic training; and investigations into noncompliance that identify associated root causes. Strong information security-related processes should include, for example, access controls by role and, where appropriate, by individual; encryption of electronic equipment, including laptops and mobile devices; physical security; and logical security.
Maali The most difficult, but foundational and important privacy control, is to maintain a current inventory of all personal data, both within the organization and among relevant third parties. All lines of defense will have a role in meeting that objective. With a sustainable and accurate data inventory, companies can deploy other controls around information security and data-subject rights.