Over the past decade, data has become the most important asset for companies. Big-data analytic capabilities and advancements in artificial intelligence have shifted business models and transformed how companies use information. And with data growing exponentially every day, the task of protecting it has become more and more challenging.
The passage of new regulations such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the U.S. imposed new requirements for how companies use and collect personal information. Noncompliance or failure to adequately safeguard personal information can result in significant fines and impact the corporate brand and consumer trust. As a result, internal audit is increasingly being asked to help evaluate data protection risks and controls.
Although many companies have implemented protection capabilities to comply with the requirements, laws are still being interpreted — and what constitutes adequate security under CCPA and GDPR is still being analyzed. Organizations must maintain their focus and monitoring efforts to remain compliant. Internal audit teams can help companies identify risks, improve controls, and work as a strategic partner in evolving data protection capabilities.
Define Data Protection
Data protection refers to the practice of safeguarding information from compromise, loss, and disruption. In the context of GDPR and other privacy regulations, the concept focuses on protection of personal data. And it isn't limited to just preventing that data from being hacked or stolen. The scope of data protection ranges from classification and categorization to retention of all data in an organization.
Companies need to understand the sensitivity and type of data they collect, process, and store. Moreover, they need to ensure data is available and appropriately retained based on business need. Given the broad scope of what data protection can entail, internal auditors should ensure their organization has established a governance model with defined roles and responsibilities for each team as well as procedures that detail the steps necessary to protect data. At the same time, these procedures should align with compliance and security objectives.
To help achieve this alignment, internal auditors should define a baseline framework that allows roles, activities, and controls to be mapped to specific requirements or domains. Auditors can leverage industry frameworks, such as the U.S. National Institute of Standards and Technology (NIST) Privacy Framework or International Organization for Standardization's ISO 27701 framework, to support the development of privacy controls. Defining a framework and tailoring it to the company will help ensure that only the necessary requirements are considered and tested. The framework also will enable internal auditors to identify the accountable party for each requirement or domain.
Determine Audit Scope
In defining the scope for a data protection audit, it's important to take a risk-based approach. Internal auditors should conduct a risk assessment to determine the inherent risk for each business process and system and prioritize audits of higher risk areas. The results can help determine the audit frequency for each business process and its systems.
From a data protection standpoint, the risk assessment should consider exposure factors and threats to these processes and IT systems. Internal auditors can assess several factors:
- The type of information being processed.
- The sensitivity of the data.
- Whether the process or system is external facing.
- The volume of data being
- The number of users who have access to the data.
- Whether an internal or external party hosts or manages the supporting IT systems.
From a threat perspective, internal auditors can refer to industry frameworks such as Microsoft's STRIDE — primarily focused on security threats — and the LINDDUN privacy threat modeling framework developed by the DistriNet and COSIC research group at Katholieke Universiteit Leuven in Belgium. Alternatively, auditors can build their own threat and vulnerability register. They can then map the threats to each business process and system to support the inherent risk calculation. Prioritizing the business processes and systems will help internal auditors maximize their effort and investment while providing company leadership with clear visibility into critical business operations and data protection risk areas.
Understand the Data Life Cycle
To identify data protection gaps and test control effectiveness end-to-end, internal auditors should tailor their approach to the data life cycle. Auditors should develop a standard approach based on each life-cycle stage — such as data collection, transfer, use, storage, and destruction/retention — and then customize the approach for each business process and its systems. This effort will help streamline the planning and design phase, allowing auditors to focus on the execution and control testing phase of the audit.
Understanding the life cycle provides internal auditors with insight on why data is being collected, where it's being transferred, how it's used, where it's stored, and when it's destroyed. Without this context, controls are implemented and tested in silos, making the efforts ineffective or redundant. Auditors should use this information to evaluate the risk of each business process and its systems in relation to the corresponding data protection controls.
Through the life-cycle approach, internal auditors also can evaluate the data subject right-request process. Under GDPR and other new privacy regulations, individuals — referred to as data subjects in GDPR — have the right to request access to their information or have it deleted. Many companies struggle to fulfill these requests due to a lack of understanding about where personal data is stored or if it can be deleted. Through a data life-cycle lens, internal auditors can provide assurance on whether IT systems are appropriately scoped to support data access or deletion requests.
Although there are tools available that can help companies discover and scan IT systems to consolidate and analyze data, gaps in knowledge of each system may still exist. Understanding the full data life cycle can help uncover data that may be stored in the cloud or with other third-party providers. Internal auditors should identify these gaps and work with the privacy and compliance teams to develop a plan for incorporating those data repositories into the company's data subject right-request processes.
Data Protection by Design
As a best practice, data protection needs to be incorporated into the design process at the onset — a concept known as data protection by design. While data protection traditionally was most often delegated to information security and involved managing point technology solutions — products that solve or address one specific need — such as data loss prevention tools, this narrow scope limited companies' ability to put in place effective controls. The concept of data protection has evolved as a result of GDPR and other privacy regulations, expanding the scope of protection measures.
Data protection by design focuses on identifying issues and risks throughout the entire data life cycle and implementing controls as the business processes are being developed, rather than at the end. By evaluating the entire life cycle, internal auditors can identify gaps in data protection controls and help pinpoint the life-cycle stage where these controls should be implemented.
Data protection by design does not mean that companies need to develop new processes and questionnaires that ultimately inundate the business with additional work. Instead, data protection requirements and controls should be woven into the process itself. They should be integrated into existing processes when a company evaluates a vendor, when a new solution is being designed, or when a business process changes. Internal auditors can use their broad knowledge of the organization to help companies design a process that promotes a culture of compliance while limiting business disruption.
Training and oversight efforts represent a good starting point to begin incorporating data protection by design concepts into the organization. Internal auditors can work with human resources (HR) and privacy teams to develop meaningful training programs and awareness campaigns. The training content should be relevant to each group of employees and focus on how they can apply data protection into their daily activities. Audit results can be leveraged to pinpoint areas that pose a higher risk to tailor the training content. By providing training content that is applicable to employee roles and daily responsibilities, companies can shift the way employees think. Privacy, data protection, and other compliance requirements become a part of their job instead of an extra component.
Consider, for example, an IT developer whose role is to build a customer web application. Through training that is targeted to her role and responsibilities, the developer can be made aware of privacy and data protection requirements for collecting and storing personal data. When the developer subsequently creates a mechanism for data collection, she will know that a method to collect consent should be in place, along with notice to inform data subjects of how the data will be processed and the need to adequately protect data being stored. Understanding these requirements at the beginning can provide privacy and compliance teams with ample time to evaluate and provide accurate requirements and content to business and IT teams, such as: Should the system be designed to provide opt-in or just opt-out consent? What encryption controls need to be in place? How long should data be retained?
In terms of oversight, having the right privacy and other subject matter resources — e.g., security, legal, and HR — accounted for early on in the process can help identify requirements and controls that may be missing from the design. The internal audit team can work with the various departments to form a review body tasked with evaluating new initiatives and IT systems. Inserting this body into the software development life cycle and tying funding or resources to the approval process can help ensure all new initiatives and IT systems are being reviewed. Additionally, having internal audit participate in these review sessions can be beneficial when performing control testing.
Data Protection During the Pandemic
As part of efforts to combat COVID-19 and protect human lives, many governments and companies have implemented emergency procedures. This has created some confusion and concern around privacy and data protection requirements, given the use of personal data such as health information and geolocation. In response, the European Data Protection Board released its Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak to provide guidance to governments and companies regarding the processing of personal data. The statement can be helpful to internal auditors as they navigate their organization's compliance with GDPR.
In a period where decisions and response time are critical, internal auditors can also provide the necessary support and guidance to company leadership so that privacy and data protection requirements do not act as a hindrance to implementing emergency procedures. For example, auditors can develop control decision trees — charts or data flow diagrams that consist of logic decisions and possible outcomes (controls or activities) — to help inform business and IT teams of requirements and considerations when collecting, processing, or storing personal data. Decision trees can provide a systematic way of identifying options that are least intrusive to individuals.
GDPR and other privacy regulations should not impede the organization's ability to carry out and implement emergency functions. Instead, companies and internal auditors should use the privacy requirements as guidelines for ensuring adequate controls are considered and implemented to protect the privacy rights of individuals during these unprecedented times.
Preparing for the Future
Privacy and data protection regulations will continue to mature globally. GDPR has created a strong foundation in Europe, while the U.S. landscape is still developing with other states and the federal government following California's lead. Other regions in the world have started to introduce or pass their own privacy regulations, such as the Brazilian General Data Protection Law and India's Personal Data Protection Bill. Internal auditors can help companies rationalize the different requirements to streamline assessments and control testing, which will improve efficiencies for many businesses.
Furthermore, as more data and IT systems move into the cloud and company technology boundaries continue to expand, it is harder to define responsibility and accountability for data protection. Taking a purely reactive approach toward new regulations and requirements puts companies at risk for noncompliance. The internal audit function can work with company leadership to help the entire organization embrace the concept of data protection by design, which can ensure appropriate controls are evaluated up front, protecting the organization, its employees, its customers, and their data.