Now that the deadline has passed to comply with the European Union’s (EU) General Data Protection Regulation (GDPR), many compliance executives are breathing a sigh of relief. Yet the real compliance work is only beginning.
GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy. It greatly expands privacy rights of EU citizens and residents and applies to any organization that does business with those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to 20 million euros or 4 percent of annual worldwide turnover, whichever is greater.
Compliance will require continued focus and effort. Internal audit can help an organization mitigate GDPR compliance risks by identifying ways to improve controls, raising risk awareness and assuring compliance.
Internal audit can help an organization shift from the preparation phase to the implementation phase of GDPR. The regulation specifically requires organizations to focus on these control-oriented topics:
- Accuracy and quality require organizations to ensure data is accurate and up to date and allow individuals to correct their records.
- Security and privacy by design require organizations to document decisions made to inform EU residents about how their data will be used and restricted. They also must implement technical, administrative and physical security/privacy controls to mitigate potential harm.
- Security safeguards ensure technical and organizational measures are implemented for privacy and security.
Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements and strengthen controls that prevent and detect data errors.
Raising Risk Awareness
The direct risks associated with GDPR include potential fines and reputational impact. However, by digging into the regulation’s purpose, internal auditors may identify other data protection risks.
Monitoring, Measuring & Reporting
Organizations must have a data protection officer (DPO) to lead privacy and compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff and ensuring privacy compliance audits take place. The organization must perform data privacy impact assessments when new technologies and systems are used, provide timely data breach notifications and report on the use of third-party processors.
GDPR imposes sanctions and penalties on organizations that process data unlawfully or fail to deploy safeguards. In addition, individuals may request that the organization remove their personal data from automated processing and profiling.
Organizations must put processes in place to notify persons no later than 72 hours after they discover a data breach if it’s determined the breach will result in a high risk of privacy harm to those individuals.
Openness, Transparency & Notice
Organizations must keep data for specific and legitimate purposes and notify persons about how the organization will use their data. Organizations also must inform individuals of safeguards applied when personal data is transferred to a third country.
EU residents may request access to data, obtain a copy of the data held and withdraw consent to use personal data as long as withdrawal doesn’t result in legal violations. Individuals may object to their data being used for direct marketing and profiling and may contact the DPO for any issue related to processing their personal data.
Internal audit can educate management about potential risks and ways to manage risks in each area. Auditors can communicate relevant information about these risks via informal emails, a departmental newsletter or meeting with management.
As new policies and procedures mature, internal audit will need to perform regular compliance audits to determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization manages data to help strengthen privacy and security controls and ensure they’re designed appropriately and operating effectively. Auditors will need to assess compliance with key aspects of the regulation and provide early warnings about problems.
Choice & Consent
Under GDPR, organizations also must allow users to choose how their personal data is used. Further, organizations must document and maintain consents and request parental authorization before collecting a child’s data.
To ensure data collection is lawful and necessary, organizations can collect only personal data that’s needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data related to criminal convictions and documenting situations where the right to object doesn’t apply are all important. Internal auditors can help reduce risk by sampling data collection mechanisms for compliance.
Organizations may keep data no longer than the period required to support the purposes for which it was collected, and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for archiving purposes in the public interest or for reasons of scientific or historical research.
Free Flow of Information & Legitimate Restriction
This principle includes protections for data transfers using legally binding agreements between public authorities, binding corporate rules, model clauses and other mechanisms.
Third-Party Vendor Management
This principle ensures organizations gather third-party/vendor guarantees of GDPR compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data controller—organizations or individuals who determine the purposes and means of processing data—must provide written authorizations to use a given processor.
GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.
Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they’re designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that shouldn’t be transferred to another organization. They can run reports to look for data that’s being kept longer than necessary and review available documentation for any exceptions.
A GDPR Audit Plan
To help the organization maintain compliance, internal audit should include independent GDPR assessments and compliance testing in the audit plan. It can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Finally, it can identify opportunities to audit common processes across departments.
For assistance with GDPR compliance and information on internal audit, contact Jan or your trusted BKD advisor.