GDPR: An Opportunity for Internal Auditors to Lead the Focus on Data Protection

June 21, 2019

The European Union (EU)’s General Data Protection Regulation (GDPR) awakened us to the importance of securing our data and being mindful of an individual’s privacy. Colleges and universities are a treasure trove of personal data, since institutions are collecting data from alumni, prospective and current students, staff and faculty members. For institutions that must adhere to GDPR, not only will they be subject to specific technical, administrative and legal requirements, but also potential liability.

Whether or not a specific institution must comply with the regulation, it has a responsibility to properly secure and control the use of personal data. Internal auditors should take this opportunity to assess the risks related to personal and other sensitive data (e.g., intellectual property).

For all organizations, there are benefits of implementing data protection controls and performing a data protection internal audit. The audit will help determine if the institution has the appropriate IT controls in place, identify the location of personal and sensitive data, improve data quality, limit the amount of data collected from individuals and restrict access to data.

GDPR and data protection assessments go beyond cybersecurity, and internal audit should begin to shift from a system-driven security approach to one where the focus is on data-driven security.

Internal auditors should engage management in assessing controls around data protection. Prior to assessing the institution’s data protection needs, internal audit should inquire as to whether management took the steps necessary to determine if the regulation impacts the institution. Heavy financial penalties exist for noncompliance with GDPR.

In recent years, IT departments and auditors focused on network security, logical security, and access management, such as firewalls, intrusion detection, anti-virus protection, password complexity rules, penetration testing, as well as the removal of terminated users. These controls will directly or indirectly support data privacy. GDPR and data protection assessments go beyond cybersecurity, and internal audit should begin to shift from a system-driven security approach to one where the focus is on data-driven security.

GDPR data management principles and requirements to consider include:

• Data minimization: The practice of collecting the least amount of data needed to perform the task or service.
• Privacy by design: The concept of embedding privacy into the development and operation of IT systems and business practices. Too often, in the rush to implement a new technology, little time is spent thinking through the ramifications of collecting, analyzing, and/or disseminating sensitive information.
• Pseudonymization: The process of replacing most identifying fields in data records with artificial identifiers.

As a part of a cybersecurity or incident management audit, internal auditors evaluate how to identify, log, track, escalate and address incidents. Internal auditors can expand their cybersecurity or incident management audit programs by incorporating elements from GDPR, which include defining personal data breaches, as well as the response time in notifying government agencies and impacted individuals. The data protection regulation will help broaden management’s and internal audit’s understanding of data protection.

For example, Article 4 of the regulation defines personal data as:

Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In Article 9, GDPR expands the definition of personal data by including genetic and biometric data, which uniquely identifies an individual. GDPR refers to this type of information as “special categories of personal data.”

Article 7 focuses on obtaining consent from the individual/data subject. Internal audit should inspect policies, procedures, notifications and forms related to personal and other sensitive data. The policies should cover obtaining consent, providing choices where appropriate and focusing on only collecting personal data that is adequate and relevant. In order to be effective, institutions should evaluate current technology to ensure it is adequate in managing consents.

Focusing more on internal audit activities, rather than implementing GDPR requirements, internal audit should take a risk-based approach in creating their audit program by defining the scope, as well as identifying, analyzing, evaluating, and monitoring risks. While the primary goal is to secure data, it is only achievable if management implements the right set of controls to secure hardware, software, network components and supporting assets (e.g., paper documents, individuals).

When considering the risks relevant to data protection, internal audit should identify internal and external factors, such as regulations, contractual agreements with service providers, existing internal controls, security threats and business factors. To identify risks, internal audit should classify risk sources, assets (e.g., information, personal data, systems, etc.), threats and weaknesses, as well as possible impact and data protection risks.

As internal audit engages management in performing a data protection audit, the team should determine, with the help of management, the processes, departments, technology and outsourced providers that “touch” sensitive data. Depending on the size of the institution, internal audit may need to conduct surveys or hold workshops to identify the departments that collect and manage personal and other sensitive data. A data flow diagram is an excellent tool for internal audit to utilize to understand the flow of personal and other sensitive data. As internal audit follows the flow of data, they should identify information technology, compliance and manual controls that are already in place.

Colleges and universities that have insight into their data flows are in a better position to understand the impact of a data breach. Performing data mapping may be challenging for some teams as they attempt to identify departments that utilize personal and other sensitive data, inventory what data is collected, locate where the data is stored, assess the sufficiency of technical and organizational safeguards, and understand each department’s legal and regulatory obligations. For instance, faculty engaged in research may share subject data with the sponsoring organization, a federal agency, or other parties in a consortium. While there may be general awareness of the data transmitted to others, often institutions unknowingly receive files containing records with excessive and irrelevant data elements, yet continue to store it on their network.

After internal audit evaluates the results from their fieldwork, which include the data flow diagrams, walkthroughs, policies, procedures, notices and forms, and internal control system, the auditors should consider the impact and likelihood of unauthorized access, unwanted modifications, and loss of personal and other sensitive data. After classifying the severity of the risk, the auditors will be able to provide meaningful recommendations to address data protection risks.

One expectation of GDPR is the creation of a Data Protection Impact Assessment (DPIA), which helps identify and address risks at an early stage by analyzing how the proposed methods will mitigate identified risks. There is a legal obligation to perform a DPIA, especially when implementing new technologies that impact personal data. The DPIA should take into account the nature and purposes of the proposed methods and if there is a high risk that the rights and freedom of people will be compromised.

One recommendation to present in the internal audit report is to conduct a DPIA when projects (e.g., new IT system, data sharing initiative, legislation, etc.) that impact personal or other sensitive data commence. After the project lead or IT personnel complete the DPIA, the executive project sponsor should evaluate the residual risks to assess whether to move forward with the project and determine if the assessment was sufficient and complete. The project sponsor will also determine if existing internal controls are operating effectively so that residual risks are at an acceptable level. If the level of risk is unacceptable, additional controls may be required.

Data protection and governance are not new concepts, but the enactment of GDPR raises awareness of the importance of safeguarding personal information. Internal audit should spearhead the initiative because shining a light on protecting the privacy of personal data not only builds trust, but also reduces the level of reputational and regulatory risk.

About the Author

Mark Bednarz

Mark Bednarz, MS, CPA, CISA, CFE leads PKF O’Connor Davies Risk Advisory Group. He combines more than 20 years of experience and an expertise in attestation and consulting services. His experience includes business process improvements, ERM reviews, cybersecurity, internal audit, internal audit transformation projects, and forensic projects. He is also partner-in-charge of many internal audit engagements for community private and public colleges and universities.

Mark is a frequent presenter for several professional organizations, which include Association of College & University Auditors (ACUA). He serves as an author and contributing editor to articles that appear newsletters and publications as well as conducts webinars. Mark has been awarded Fairleigh Dickinson University’s inaugural “50 Under 50” Business Leaders and is on FDU’s Information Technology Industrial Advisory Committee (ITIAC).

Articles
GDPR: An Opportunity for Internal Auditors to Lead the Focus on Data Protection