Dirk Lehmann, CISA, GCIA, and Frank van Vonderen, CISA, CGEIT, MSIT
In today’s society, the concern about the protection of personal data is steadily increasing.1 As a result of new technologies and social media, an ever-increasing amount of personal data is processed by more parties in more locations. Countries are responding by implementing updated or new data protection laws and by increasing enforcement activities.
However, both content and enforcement activities of these regulations are quite different; therefore, ensuring compliance with all local regulations is challenging for a global organization acting in several countries.
The need to audit global compliance is rising for the following reasons:
Globally acting companies can choose from different approaches to satisfy data protection laws,2 irrespective of the type of data:
Regardless of the approach that is chosen, it is important to understand that no organization can completely prevent data protection incidents from occurring since individuals can always make mistakes, such as accidentally sending an e-mail containing personal data to the wrong person or losing a data carrier (such as a Universal Serial Bus [USB] stick or backup tape). The key is to assess whether an organization is effective in reducing systematic vulnerabilities to an acceptable level. The level of what is acceptable for an organization is directly related to its risk appetite, which, in turn, is set by management and determined as part of a risk assessment. The risk level, risk appetite and risk profile of an organization will influence the risk response.4 Specifically for data protection, the risk level, the risk appetite and risk profile are influenced by four factors:
When a company has chosen to ensure data protection compliance on a per-country basis, the focus of the audit is to check whether the organization has implemented the requirements of data protection laws as prescribed in the countries in which it is operating in. Data protection laws generally address the following topics:7
The audit activities and questions can be specifically designed to check compliance with these requirements to determine whether an organization is following them. Some laws have specific requirements on controls that need to be in place,8 such as existence of data classification and data protection policies. For compliance with European privacy laws and regulations, there are comprehensive materials available that help auditors to prepare an audit.9
The objective of an audit on the effectiveness of the data protection program is to understand how effective an organization is in handling systematic errors relating to data protection. But, what is a data protection program? The Institute of Internal Auditors has noted the following aspects of a data protection program:10
Evaluating the effectiveness of these elements is the basis for an audit on a data protection program. Apart from these elements, the following should also be considered:
A data protection program should also help an organization sustain compliance. One way to audit future compliance is to check whether there are quality gates that ensure that data protection requirements are evaluated during relevant developments. For example, it should be determined whether there should be mandatory or voluntary consultations with data protection specialists in the case of:
This combined set of elements will allow auditors to provide reasonable assurance regarding the effectiveness of the data protection program and the ability of the organization to prevent systematic errors.
When auditing a data protection program at a multinational organization, there are some general challenges that are helpful to consider:
Auditing the effectiveness of data protection at a multinational organization is influenced by the organization’s efforts to be compliant. An audit on compliance with legal procedures will show whether an organization has been compliant over the last period, while an audit on the data protection program will lead to assurance on how effective an organization is at preventing data protection incidents from happening.
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” All organizations collect personal data on employees. In addition, depending on the nature of the business, personal data are often collected on customers, suppliers and shareholders. Other examples include patient data and the personal data that companies process on behalf of their customers.2 During their audit work, the authors observed only the two general approaches described; there may be other approaches.3 Note that “data protection organization” is a general term. It can also be referred to as “privacy organization” or even “information security organization.”4 Determining the risk profile and risk appetite is generally part of a risk assessment process. See ISACA, The Risk IT Framework, USA, 2009.5 A recent example of the strong enforcement structure in Germany: “The Data Protection Commissioner’s Office (Independent Centre for Privacy Protection [ULD]) calls on all institutions in the federal state of Schleswig-Holstein, Germany to shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’ button from their web sites.” See www.datenschutzzentrum.de/presse/20110819-facebook-en.htm.6 In the UK, the maximum fine under the Data Protection Act is a per-record fine; see www.dotmailer.co.uk/email_marketing_resources/law/penalties_for_noncompliance.aspx. Under US Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, penalty schemes are based on a formula that multiplies the fine with the number of data subjects affected (people); see www.malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93i/Section2.7 There are more than 50 individual data protection laws in the world. The most leading laws are related to Europe’s Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) and US Massachusetts 201 CMR 17.00. The German Federal Data Protection Act is generally considered to be one of the strictest laws.8 See US Massachusetts 201 CMR 17.00 and the German Federal Data Protection Act.9 See European Committee for Standardization (CEN) Workshop Agreement (CWA) 16112 Self-assessment Framework for Managers, April 2010; CWA 15499-1 Personal Data Protection Audit Framework (EU Directive EC 95/46)—Part I: Baseline Framework, February 2006; and CWA 15499-2 Personal Data Protection Audit Framework (EU Directive EC 95/46)—Part II: Checklists, Questionnaires and Templates for Users of the Framework, February 2006.10 The Institute of Internal Auditors, 2100-5 Legal Considerations in Evaluating Regulatory Compliance Programs, USA, 28 March 2001
Dirk Lehmann, CISA, GCIAis director of IT audit at Siemens AG and has more than 16 years of experience in IT. Previously, he was manager of information security of the Siemens AG’s corporate IT department and led the Siemens computer emergency response team branch in the US.
Frank van Vonderen, CISA, CGEIT, MSITis managing consultant at Dutch consulting company Verdonck, Klooster & Associates and has more than 13 years of experience in IT advisory and auditing for several multinationals. Previously, he worked at Siemens AG as manager of IT audit, and he has published several articles on IT sourcing, operations and security in various Dutch magazines. He can be reached at [email protected].
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.