June 2017 62 Internal audItor
To commen T on this article,
email the author at firstname.lastname@example.org
of the regulation. This can be triggered simply by providing
goods or services to EU citizens or by allowing individuals to
create user online accounts or profiles that can then be tracked
and monitored. EU-based organizations must comply with the
regulation based on their jurisdiction. Internal audit should
coordinate with compliance and privacy professionals to
ensure the new requirements are understood and assessed.
Program Governance and Policy management Organizations must identify the privacy/data protection program
owner and name a data privacy officer. This owner must be
aligned organizationally to allow for oversight of the many
departments required to participate. Given the extensive
requirements associated with the GDPR, full compliance
cannot be achieved through disparate or disconnected efforts.
Further, application of organizationwide policies, procedures,
controls, and monitoring will help ensure consistent alignment of data protection requirements across locations and
operations. Privacy program reviews should consider applicable policy updates to ensure specific consideration is given
addition, given the cross-functional reach of privacy requirements, auditors should ensure updates are considered within
other functional policies such as software development (e.g.,
privacy by design considerations) and human resources (e.g.,
employee data management practices).
Data mapping and Privacy impact assessments Understanding the scope and associated obligations is critical in
establishing any governance program. The GDPR considers
the activities of data mapping— identification and classification of information assets —and a privacy impact assessment.
The results of these activities will guide the remaining program
structure and assessment activities. Auditors should coordinate
with the compliance or privacy team to ensure these key scoping steps are completed. They provide the foundation for the
privacy program assessment as well as key inputs into overall
audit universe and risk assessment activities, and thus should
be incorporated into audit planning and testing programs.
contract management Contractual partnerships and organizations also are in scope for considering the impact to privacy,
as often these entities touch, handle, or transfer data. Through
an established contract management process, an organization
can identify, assess, and respond to data protection obligations
across entities. Processes should consider both client contracts, which may require use of standard contractual clauses
for cross-border transfers, and vendor and supplier contracts.
Within vendor and supplier contracts, companies must ensure
obligations are extended to the partner organizations. Internal
audit should review contract management procedures with
legal and procurement teams to ensure processes are in place to
extend and monitor compliance with obligations.
notice and consent obligations Specific obligations for
notice and consent may vary based on an organization’s service
offering and client interactions. The GDPR requires specific,
informed, unambiguous, and in some cases explicit consent
to process personal data. Audit should review these processes
to ensure both internal associate and client data is maintained
and used in accordance with the notice and consent structures
in place, or that necessary modifications are made.
operational considerations Organizations also must consider storage and movement of personal data within their systems, especially if data is being transferred to or accessed from
a non-EU country. A “cross-border transfer” considers both
actual data movements and access to the data from outside the
originating jurisdiction. Collecting, recording, accessing, using,
storing, retrieving, or reading data outside the originating jurisdiction constitutes a transfer. Auditors should incorporate into
annual test plans both access-based and process-based control
tests to ensure data transfers are managed correctly.
Data Security considerations While obligations for
appropriate technical and organizational measures continue
to apply as established by prior regulations, the GDPR
includes enhanced breach notification obligations. As such,
organizations must ensure their incident response policies
and procedures align with the requirements. Review of both
incident response and overall security controls should be
included in audit’s annual plan to ensure a timely response is
possible and, if not, that adjustments are made.
These steps can set a course toward governance structures
aligned with the data protection regulations. Repercussions of
noncompliance are high, with impact to core operations and
fines potentially reaching 2 percent to 4 percent of global revenues. Internal audit is key in enhancing ongoing compliance.
As the global privacy landscape changes, organizations
must establish both privacy governance structures and a regulatory change management process. This includes defining ownership, refining assessments to incorporate new and changed
requirements, and continuing to enhance internal plans and
programs. Change must be part of the governance model for
privacy and data protection, and auditors should review these
structures to confirm appropriateness.
meliSSa Ryan, cRma, is a practice director at Asureti in