GDPR Audit: How Internal Audit Will Play a Key Role in Compliance

April 30, 2018

Learn about the current state of GDPR compliance and the responsibilities for Internal Audit now that it has become law. Read below for our essential takeaways and keys on how to audit GDPR compliance.

What Is a GDPR Audit?

General Data Protection Regulation (GDPR) Audits has become the norm for most organizations. Like most regulatory audits, GDPR audits generally come in two flavors: internal and external. Internal GDPR audits operate as a self-audit of compliance to the regulation and provide the opportunity to make improvements to internal processes and are often under the responsibilities for Internal Audit. External GDPR audits come from the European Commission’s Information Commissioner’s Office (ICO).

Since a GDPR audit is a regulatory compliance audit, the actual execution of the audit is relatively static. In fact, groups like Gartner have published a GDPR audit program that ties the compliance audit directly to the regulation. Internal audit teams can play a key role in facilitating the internal compliance self-assessment and determining how to audit GDPR compliance.

On May 25, 2018, the General Data Protection Regulation went into effect and immediately became enforceable as law in the European Union. The legislation, whose impact on data privacy and security programs has drawn comparisons to the effect Sarbanes-Oxley had on financial regulation, affects any organization that collects, stores, or processes the personal information of EU residents. Most expect to see an internal GDPR annual audit going forward to ensure compliance with the GDPR regulation.

External audits, performed by the European Data Protection Supervisor, are targeted based on “risk analysis, whether special categories of data are processed, the time elapsed since the last audit and whether there has been an increase in the numbers of complaints.” One of the best ways to prepare for this type of audit is to perform an internal self-assessment. In this way, the internal audit team can assess and address the current state of your data security risk exposure.

What Does GDPR Do?

GDPR unifies regulation of all EU residents’ personal information privacy by replacing all member state-specific Data Privacy laws by introducing a Supervisory Authority for each member state. GDPR also raises the stakes for noncompliance, with heavy fines of up to 20 million euros, and grants consumers the right to retribution for data privacy breaches.

Enforcement: Past Trends and Future GDPR Predictions

While companies within the member states are at the highest risk for GDPR — i.e., the most significant personal information processors — are presumably the most prepared for the deadline. Most businesses affected by the regulation become compliant shortly after the May 25 introduction of the law. Historically, European privacy authorities have taken action against a wide range of companies for privacy infractions before GDPR. For companies across the entire business landscape to take GDPR seriously, regulatory authorities will most likely continue in this tradition by targeting a range of organizations – from large data processors to average companies – in the coming months.

How Can Internal Audit Ensure All Steps Are Being Taken for Effective Compliance?

Internal Audit should continue to educate management on the importance of GDPR and assist with remediation activities. There are several activities Internal Audit can play a role in now that the regulation is in place and as part of the GDPR annual audit.

Developing an Inventory of Processing Activities

This is one of the most time-consuming activities in the overall GDPR compliance process that Internal Audit can help with. It requires process mapping, identifying systems and processes, and things Internal Audit already does in their day-to-day activities.

Reviewing the Compliance State

In some cases, companies may have reached a state of compliance but may have gotten there by cutting corners. In such instances, Internal Audit can help by performing a GDPR audit to identify each of the critical components of GDPR that were addressed but were not adequately documented and help by documenting those processes. Some examples of this in action are identifying the basis of legal processing for each of the workstreams in the inventory and auditing the privacy notice.

Third-party Due Diligence

Depending on where an organization is in its GDPR state, Internal Audit can help with the compliance activities. It can play a role in auditing vendors, for example.

Data Protection Impact Assessments (DPIA)

Data Protection Impact Assessments help organizations identify, assess, and mitigate risks with data processing activities — an essential step in complying with GDPR. As DPIA needs are identified, Internal Audit plays a significant role in conducting DPIAs.

Leverage Existing Regulations Around GDPR

The European Union’s existing Data Protection Directive has similar components to — and in some cases is even more restrictive than — GDPR. Organizations who do an excellent job following the directive can be more comfortable complying with GDPR email and telemarketing activities. Any extra effort for those processes should not be much of an extra burden. Internal Audit may also leverage existing audits to develop the GDPR audit program.

What Will Be GDPR’s Greatest Positive Impact?

GDPR’s most significant positive impact has been providing greater trust between EU consumers and companies. Vigorous enforcement affecting a range of organizations provides more incentive for companies to be aware of GDPR, even lower-risk companies. How enforcement of the regulation will unfold and legal implications for companies without physical locations in the European Union remain to be seen. The most well-prepared organizations are the ones who work on strengthening their privacy, cybersecurity, and data security programs using frameworks such as GDPR and NIST cybersecurity standards — continuously. Take advantage of Internal Audit’s skills and expertise and perform ongoing GDPR audits to assess the organization’s preparedness and compliance.