There is no denying that privacy and data protection continue to go mainstream. International and domestic privacy laws are continuing to pop up, and a global pandemic has meant that countries and private corporations alike are collecting more sensitive data than ever before.

As these types of trends continue, many companies are struggling to identify the nuances between privacy laws and how to best implement a program that is flexible enough to adapt. Each regulation comes with additional reputation and regulatory risk (e.g., fines), increased consumer rights, and enhanced focus on how companies use personal data as a commodity. These complexities only compound the need to implement a strong privacy program based on an industry-accepted framework such as NIST or ISO.

While implementing and managing privacy programs is commonly a joint effort among compliance, legal, privacy, risk management, and security teams, it has also become essential for Internal Audit to unpack the complexities surrounding these regulations and drive a proactive approach toward compliance.

Through advising on the status of current controls, performing privacy risk assessments, and performing detailed testing of systems that hold personal data, as well as enhanced privacy controls related to customer access to personal information, Internal Audit can enable organizations to effectively comply by engaging early and often in the data protection lifecycle. An Internal Audit team that is highly involved in advising business units on data issues, while not designing or implementing controls, can help to not only meet regulatory requirements but also safely leverage data to its full value.

Advise Privacy, Compliance, and Security Teams on Implemented Controls

Internal Audit teams have an in-depth understanding of the business processes and controls that support a privacy program. With this expertise, Internal Audit is in a unique position to advise on current state and known gaps for privacy and data protection processes and technologies.

Aligning existing privacy controls, as well as risks identified from a privacy risk assessment, to an industry-standard privacy framework (e.g., NIST Privacy Framework or ISO 27701) is a great way to build a more sustainable approach to compliance, and will help to ensure that fundamental privacy controls have been established and risks are prioritized. Utilizing a known framework also allows for easier integration with existing IT and cybersecurity control frameworks.

In the current environment, organizations should also carefully consider any additional data they may be collecting from employees, especially as they transition safely back to the office. They may be storing new personal data or even health-related information which may require additional considerations.  

Perform a Privacy Risk Assessment

Conducting a risk assessment is an effective way for Internal Audit to gain an initial understanding of the sensitive data within an organization and the privacy risks that exist. Understanding that every organization is different, it is important to cast a wide net when creating a privacy risk register. Some questions that may be helpful to ask include:

  • Who owns “data privacy” in the company?
  • What new (see the IAPP’s tracker or state-by-state tracker) or existing privacy regulations apply? How do requirements overlap or relate to each other?
  • Have expanded consumer rights been implemented and made readily available to customers?
  • What data tagging and mapping processes exist? Is there a strong understanding of the sensitive data lifecycle?
  • Are there technical data protection mechanisms in place that may need to be refreshed or enhanced?
  • Do we have a robust vendor risk management program in place which considers risks like data transfers and use of personal data?
  • Have privacy-related incidents occurred in the past, including a breach of personal data? Was the incident response process adequate?

Continuously Assess, Monitor, and Improve

Incorporating privacy into the Internal Audit Plan, either as a stand-alone audit or as part of an integrated audit approach, is an important step in ensuring that privacy processes are operating effectively. There are several ways to incorporate privacy-specific testing into audit plans including:

  • Auditing data classification and tagging to ensure that data is classified appropriately.
  • Sampling data subject access requests (DSARs) to determine if the process was followed accurately and appropriate actions were taken as a result.
  • Sampling data protection impact assessments (DPIAs) and evaluating for complete and accurate assessment of privacy risks.
  • Reviewing information systems which store or process personal information for adequate IT controls such as encryption and access management.

As organizations move from a responsive to proactive stance on privacy regulations and data protection leading practices, it is important for Internal Audit teams to have a seat at the table when building, maintaining, and assessing privacy programs – while maintaining their independence. Organizations that can promote collaboration across the three lines of defense have the greatest ability to develop a privacy program that is not only capable of responding to privacy regulations as they develop, but also a program that proactively protects data and builds trust with their customers.