Unsure about what to expect from next week's launch of the General Data Protection Regulation (GDPR)? You aren't alone.
In a report just one month ago, only 62 percent of IT decision-makers surveyed said they were "confident" in the buildup, while 18 percent described themselves as "nervous," according to an article in the Data Center Journal. This follows months of reporting in 2017 from countries around the world about being "far from ready" for this fundamental shift in data privacy emanating from Europe.
May 25 marks the launch of GDPR, a set of rules protecting data for individuals across all 28 European Union nations plus Iceland, Liechtenstein, and Norway. What makes it ominous is GDPR applies to any organization that has employees or data on individuals in these countries, even if the organization is located outside the agreeing countries. This month, research firm Gartner predicted that by the end of 2018, more than half of companies affected by GDPR will not be in full compliance with its regulations.
Reaching full compliance is a mountain to climb, because the regulations are so sweeping. GDPR provides individuals with numerous fundamental rights: the right to be informed of what personal identifiable data is being held, where it is being stored, and with whom it is being shared; to be forgotten; to safely move, copy, and transfer data; to timely notification of a breach; to object; to access. Organizations face substantial fines for noncompliance: up to €20 million or 4 percent of global annual revenue of the prior financial year, whichever is higher.
At this point, I imagine chief audit executives (CAEs) have pored over a stack of regulatory requirements and interpretations to create a detailed plan for the board. But this is not a one-and-done event, to be wrapped up on May 26.
GDPR is a game-changer. This is the future of a digital economy dropped on our doorsteps and an opportunity for CAEs to see and embrace a cup that is half full. Getting the organization's processes and controls for record keeping, data security, access, and privacy in order to be compliant with GDPR is an enormous way to build trust.
GDPR applies to not only individuals' data but that of employees. As a first step you are likely to have thought through what data is being collected on individuals and employees and why. Is it providing a valuable service to the organization? How long should it be kept? However, GDPR is so much more.
Many of the risks that accompany inaccurate information, inefficiencies, high costs, gaps, no ownership of issues, and careless cyber protections can be addressed with compliance to GDPR. Full visibility, rapid insight, alignment to business priorities, and comprehensive responses are all upsides of going through this process.
Boards want overall risk protection and assurance from internal audit, especially when it involves issues that come with the potential for significant fines. Yet, last fall an ISACA survey revealed that less than one-third of senior executives and boards of directors said they were satisfied with their organization's progress to prepare for GDPR. More than one-third said they were unsure of their progress. CAEs should see GDPR as an opportunity to own and regularly communicate compliance successes and challenges with the board.
To be sure, noncompliance issues will rise to the board level very quickly. For example, failing to reply within the 40-calendar-day window set forth in GDPR to a subject access request (SAR) exposes an organization to a claim and fine, not to mention damage to its reputation. Individuals and employees have a right to be informed if an organization is processing their personal data, for what purpose, and if it is being shared. Organizations must respond to a SAR with copies of the personal data and information about the sources, according to the GDPR: Report website.
Replying to a letter from a customer asking your organization for a list of all third parties with whom their personal data has or may have been shared might not seem too difficult. But what if that question comes as part of a coordinated campaign of SARs launched against the organization? When you consider the vast amount of information held about employees and former employees in personnel files, internal memorandums, meeting notes, or simply emails, a deliberate campaign could be as crippling as a cyberattack.
So as May 25 quickly approaches, here are a few questions to consider:
- Does the board/audit committee understand the risks associated with GDPR? Has internal audit had an opportunity to share its perspective?
- Have you reviewed how personal data is collected? What is the source? Is it complete, accurate, and reliable?
- Do you know where the data is? How is it being stored? Is it touching multiple systems and have controls over all of these systems been evaluated? Have processes and data flows been documented and mapped?
- Are there third parties who have access to your organization's data? Have they been evaluated for compliance?
- Are your organization's cybersecurity controls mature enough to handle GDPR requirements? What needs to be tweaked or added?
- Has your organization defined processes and determined roles and responsibilities to provide the data to individuals who ask for it?
- Does your organization have the ability and appropriate controls in place to "forget" someone should they request it?
GDPR is far-reaching and there are many more questions that will need to be answered. Getting to full compliance will take significant resources and investment. At the same time, it represents an opportunity for internal audit to leverage this compliance requirement into a meaningful value enhancement for the organization.
That's my point of view. I'd be happy to hear yours.