Internal auditors ranked EU General Data Protection Regulation compliance as a top priority in the run-up to May 25, 2018. Knowing that penalties under the GDPR can amount to 4 percent of global annual turnover, many heads of internal audit are including a review of this area within their annual internal audit plans. As a function that has a holistic view of the organization, internal audit plays a role in evaluating the organization’s GDPR compliance. By taking up the role of a strategic partner of the data protection officer, internal auditors can help to guide the company strategy, raise awareness, assess the potential risks, identify gaps, and test the remediated procedures.
The internal audit and the data protection officer: The perfect allies
The GDPR specifically appoints privacy- and data-protection-related tasks within the organization to the DPO. In order to perform its task, the DPO will have to rely on the input and collaboration of the other functions within the organization. Picking internal audit as an ally makes sense, as both functions have the same objective: to minimize the risk exposed to the organization.
IA can play a key role in supporting the DPO to facilitate GDPR compliance. On the one hand, IA performs independent assessments and reports on the effectiveness of implemented measures through the testing of controls as defined in the internal audit plan: Based on its capacity of overseeing policies and procedures and monitoring risk-management activities, IA can give the DPO an assurance of the baseline of compliance after the initial audit. Recurrent audits can also showcase the evolving maturity of the GDPR program. On the other hand, the identification of potential weaknesses provides information to the DPO in order to orchestrate the next steps to achieve GDPR compliance.
The alliance is also beneficial for IA: Auditors can leverage the expert knowledge of the DPO to signal the organizational risks related to the GDPR, as well as to define the controls of the internal audit.
How can IA enable GDPR compliance? Getting your board and senior management on board
IA has the unique position to fulfill an awareness-creating function from start to end of a GDPR compliance exercise. In case an organization has not yet embarked on efforts to implement the GDPR requirements, IA has the responsibility to highlight that noncompliance can heavily impact the assets of the organization: The lack of compliance with the GDPR will inevitably be rated as high risk, as this can result in tremendous penalties and potential reputational damage. Consequently, IA’s findings are an effective management tool to advocate the adoption of a proactive and best practice approach toward GDPR compliance.
During the GDPR implementation, the DPO can rely on IA’s experience to set up assurance audits that ensure that board and senior management are kept aware of the progress of the GDPR roadmap. Recurrent internal audits can raise a red flag in case documentation that needs to be maintained — such as a record of data processing activities and a data protection impact assessment — does not reflect the latest events or controls.
After the implementation of a GDPR program, IA can install confidence by performing an independent review of the effectiveness of measures as a part of the internal audit controls. The findings serve as an objective risk and compliance assurance to the board and management.
Creating momentum through the internal audit
The audit plan enables the identified stakeholders to reflect on the use of personal data within the organization. Auditing and being audited are a catalyzer of the general level of data protection awareness among all the staff. Also, the data protection awareness will be tested through a review of the effectiveness of privacy training and awareness campaigns. IA will have an overview of how aware staff is of data privacy risks throughout the firm and will recommend appropriate improvements.
Demonstrating compliance
Internal audits enable the DPO to comply with the accountability principle. This principle ensures that organizations are able to demonstrate that they comply with all applicable processing principles as formulated in the GDPR.
During a desktop audit, or "test of design," IA reviews whether all documentation (framework, policies, procedures, etcetera) are available and whether they meet the requirements of the GDPR. Here, the DPO can provide assistance to determine which documentation is relevant in the organizational-specific environment. The outcome serves as a first indication as to which policies and procedures need to be developed or amended. Once the relevant documentation is in place, a test of effectiveness can be developed where the IA will test whether the departments, functions and/or processes effectively implemented the controls.
The IA should clearly document evidence received, all tests performed, and the test results (including inquiry dates, who was interviewed, and evidence inspection tests). In cases where the organization considers an area as nonapplicable for testing, the reasoning should also be recorded.
How to set up an audit plan: Determine the scope and priorities
Before designing and conducting the audit, the seasoned IA starts off with a full risk assessment of there being a personal data breach. This assessment provides the main guidance on which departments, functions and/or processes should be audited, which one gets priority, and how often each should be audited. The outcome of the risk assessment will depend on the likelihood of occurrence, the impact, and the mitigating controls.
Different obligations require different audit approaches
In order to test the effectiveness of implemented policies and processes, IA has to take into account the dependencies and interfaces between departments, IT systems, and personal data sets. In case processes, procedures, systems, and records are specific to one team or department within the organization, an audit can focus on one department: IA will audit the policies, processes and supporting IT systems for the entire data life cycle used by the team or department.
In cases where processes and systems are managed centrally or when they are not specific or unique to a particular department, then these processes and systems should be audited across departments. The underlying process to comply with the individuals’ right to erasure is an example where IA has to take a procedural approach.
Reporting and stakeholder communication are key
Frequent status reporting, including the evidence collected by IA, should be accessible to the relevant internal stakeholders who are engaged in GDPR compliance. During the frequent privacy meetings with these stakeholders, the progress with regards to the internal audits should be discussed. Stakeholders can confirm findings, escalate difficulties, and identify processes and systems that fell through the cracks of the initial audit scope. In short, these meetings will enable the stakeholders to support, update or correct the scope and approach of the internal audit.
Look for part two of this series in next month's edition of The Privacy Advisor, in which compliance with the "right to erasure" will be discussed.
photo credit: Visual Content Legal Contract & Signature - Warm Tones via photopin (license)