On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect and be immediately enforceable as law in the European Union. The legislation, whose impact on data privacy has drawn comparisons to the effect Sarbanes-Oxley had on financial regulation, affects any organization that collects, stores or processes the personal data of EU residents.
GDPR unifies regulation of all EU residents’ data privacy by replacing all state-specific Data Privacy laws and introducing a Supervisory Authority for each member country. It also raises the stakes for noncompliance, with heavy fines of up to 20 million euros, and grants consumers rights to retribution for data privacy breaches. We recently spoke with Jeff Sanchez, a Managing Director in the security and privacy technology practice at global consulting firm Protiviti, to discuss the current state of GDPR compliance, as well as the incoming responsibilities for Internal Audit once it becomes law. Read below for our important takeaways.
Enforcement: Past Trends and Future GDPR Predictions
While companies at the highest risk for GDPR - i.e. the largest data processors - are presumably the most prepared for the deadline, most businesses who will be affected by the regulation will likely not be compliant by May 25. Historically, European privacy authorities have taken action against a wide range of companies for privacy infractions prior to GDPR. In order for companies across the entire business landscape to take GDPR seriously, regulatory authorities will most likely continue in this tradition by targeting a range of organizations - from large data processors to average companies - in the coming months.
How can Internal Audit ensure all steps are being taken for effective compliance?
Internal Audit should continue to educate management on the importance of GDPR as well as assist with remediation activities. Here are several activities Internal Audit can play a role in, before and after May 25:
Developing an inventory of processing activities. This is one of the most time-consuming activities in the overall GDPR compliance process that Internal Audit can help with before and after May 25. It requires process mapping, identifying systems and processes, and things Internal Audit already does in their day-to-day activities.
Reviewing the compliance state. In some cases, companies may have reached a state of compliance but may have gotten there by cutting corners. In such instances, Internal Audit can help by going back and identifying each of the key components of GDPR that were addressed but were not properly documented, and help by documenting those processes. Some examples of this in action are identifying the basis of legal processing for each of the workstreams in the inventory and auditing the privacy notice.
Third party due diligence. Depending on where an organization is in their GDPR state, Internal Audit can help with the compliance activities. It can play a role in auditing vendors, for example.
Data Protection Impact Assessments (DPIA). These help organizations identify, assess, and mitigate risks with data processing activities - an important step in complying with GDPR. As DPIA needs are identified, Internal Audit will play a significant role in conducting DPIAs.
Leverage existing regulations around GDPR. The European Union’s existing Data Protection Directive has similar components to - and in some cases is even more restrictive than - GDPR. Organizations who are doing a good job of following the directive can be more comfortable in complying with GDPR email and telemarketing activities, and any extra effort for those processes should not be much of an extra burden.
GDPR’s greatest positive impact will be in providing greater trust between EU consumers and companies. Strong enforcement affecting a range of organizations will provide more incentive for companies to be cognizant of GDPR, even for lower-risk companies. How enforcement of the regulation will unfold, as well as legal implications for companies without physical locations in the European Union, remains to be seen. The most well-prepared organizations will be the ones who work on strengthening their privacy and security programs using frameworks such as GDPR and NIST cybersecurity standards - in 2018 and beyond.
Have more questions about GDPR? Learn more about how to prepare for the deadline at Protiviti’s blog. To see how AuditBoard’s compliance software can help with your GDPR compliance program, get in touch with us below.