IT auditors can act as strategic but independent partners to businesses currently working toward compliance with the European Union General Data Protection Regulation (GDPR), scheduled to come into enforcement on 25 May 2018.
Executive management increasingly expects the audit function to add more value to the business as a subject matter expert in all areas of risk management, as well as by supporting key business objectives and strategic initiatives. GDPR compliance is fundamentally a risk management exercise, which the audit function is well equipped to support.
Technology breaks down organizational silos
GDPR requirements require attention and remediation expertise from various functions within the business, including human resources, legal, compliance, marketing, communications and IT. For compliance efforts to succeed, the unintentional walls that often exist between these functions need to be broken.
While GDPR compliance is not solely a technology issue, technology acts as a common denominator across business processes and plays a significant role in the collection, processing, storage and transfer of personal data. This is the reason IT auditors in particular can use their overarching view of technology across the organisation to highlight interdependencies and gaps in GDPR compliance efforts.
In addition to supporting a robust control environment, IT auditors can act as risk consultants while maintaining their auditor independence.
During remediation activity made necessary by GDPR compliance, IT auditors should establish strategic partnerships within the business through:
- Leveraging their understanding of the technology landscape to provide a big picture view of data risk beyond individual remediation workstreams;
- Highlighting control interdependencies and escalating potential control design gaps through early identification;
- Advocating for data privacy risk to be considered and prioritized within IT transformation activities.
Below are five examples of GDPR compliance workstreams and technology domains where IT audit can add value by providing an independent view.
1. Data Protection Impact Assessments (DPIA)
IT auditors acting as subject matter experts can help facilitate discussions so that the risks and impact of processing personal data are considered as early as possible when initiating new IT projects or vendor relationships.
The early identification of data protection risks through DPIA exercises is a significant step for successful implementation of privacy-by-design within:
- The existing data processing estate;
- In-flight IT projects (development and acquisition); and
- Future technologies and longer-term IT changes.
Beyond merely satisfying compliance requirements, IT auditors should help the business take a longer-term view by institutionalising data protection impact assessments (Article 35) and fostering new ways of thinking about the impact of privacy on data processing activities.
2. Data Governance and Data Flows
Organizations (data controllers and data processors) must demonstrate their compliance with GDPR by maintaining records of processing activities under their responsibility and implementing technical and organizational measures (Article 32).
This requirement aligns perfectly with the main objective of data governance – to ensure the management of data as a strategic business asset in order to derive maximum value.
Effective data governance involves understanding data flows within business processes and ensuring the stewardship of data through activities such as developing data architectures, implementing quality management, data integration and meta-data management.
As organizations develop and maintain records of their personal data processing, IT auditors can provide a view on data flow mapping activities. Key questions to ask business representatives include:
- What personal data items are being collected and in what formats?
- At what point in the data flow is lawful processing of personal data determined?
- Can storage locations and formats easily facilitate the enforcement of data subject rights, including subject access requests, right-to-erasure, rectification and portability?
IT auditors can help facilitate evaluations of the completeness of data flows by sharing good practices from their experience in mapping business processes during scoping activity.
3. Risk-Based Data Protection Controls
While it may be tempting to rush toward implementing encryption and pseudonymisation as solutions to data protection, it is important to question whether these controls are necessary in the first place (see GDPR Recital 28). Other protection strategies might be more appropriate, depending on the risk.
Where a risk assessment determines that pseudonymization is required as a method of data protection, IT auditors can help the business consider whether:
- System design permits the attribution of pseudonymized data to natural persons (data subjects) through inadvertent data enrichment;
- Domain segregation is applied to separate attribution data from pseudonymized data; and
- Access to meta-data is appropriately restricted.
By challenging the business to consider the real risks to data, it is possible to arrive at pragmatic solutions for data protection, which may include applying controls like pseudonymization.
4. Big Data and Machine Learning
According to the EU Agency for Network and Information Security (ENISA), “The extensive collection and further processing of personal information in the context of big data analytics has given rise to serious privacy concerns, especially relating to wide scale electronic surveillance, profiling, and disclosure of private data.”
While unlocking the business value of data is a critical part of any digital agenda, businesses must thoroughly consider the potential impact on data subjects from unfair/biased data models, inaccurate analysis and prediction of future events (such as using methods such as machine learning), and profiling (Article 22).
IT auditors can challenge data scientists within their organizations to consider questions such as:
- Fairness: How do you ensure that big data algorithms are not repurposed in unexpected ways to draw unexpected conclusions about data subjects?
- Data minimization: How do you avoid excessive data collection, manage data retention (including secondary uses of data) and guarantee data subject rights?
- Data protection: How do you ensure privacy enhancing technologies (PETs) are designed by default into big data solutions?
5. Data Processing in the Cloud
While IT auditors’ focus on cloud computing is not new, GDPR compliance requires renewed attention on data processing performed by third parties, including cloud service providers (CSPs).
Data privacy/protection-related control considerations for cloud-based data processing include:
- Maintaining accurate records of cloud-based processing;
- Establishing data processing location controls within cloud architectures;
- Ownership of master keys for encrypting data-at-rest and data-in-transit;
- Contractual definitions of controller, processor and sub-processor responsibilities; and
- CSP support for the enforcement of data subject rights (e.g., right-to-erasure).
Rather than a sprint to the finish line, organizations must see GDPR compliance as a marathon toward the goal of institutionalizing data privacy and data protection in the corporate culture. IT auditors can support this cultural change by looking beyond annual IT audit calendars and one-off GDPR-related audit engagements.
Through early and consistent engagement with the business through conversations, training and workshops, the IT audit function can mature from its traditional focus as a control watchdog to become a strategic business partner supporting longer-term organizational objectives.