Data is used by all businesses – from insurance firms and banks to social media sites and search engines. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore. The General Data Protection Regulation (GDPR) is an EU initiative which came into force in the UK on 25 May 2018, replacing the Data Protection Act 1998. It introduced wide-ranging changes to UK data protection legislation.
GDPR is a key concern for three reasons:
Internal audit is well placed to provide assurance by providing a top down risk assessment of how likely the organisation is to comply.
The GDPR standardises data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII).
It also extends the protection of personal data and data protection rights by giving control back to EU residents, along with introducing significant penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It is widely expected that the UK will continue to comply with GDPR even after Brexit. Internal auditors need to understand how it affects their organisation.
The business benefits of the GDPR
Our recent webinar, hosted by our partner ACL, examined the role of internal audit within an organisation's GDPR agenda. It free to view – you'll just need to provide a few details.
Seven key changes in the new regulation highlighted along with seven key questions for internal audit.
How will this EU directive impact your organisation following the result of the UK's referendum to leave the EU?
The new regulation came into force on 25 May 2018 in the UK without the need for domestic legislation whilst we remain part of the EU.
In addition, Article 3 of the Regulation provides for extra-territorial effect meaning that the Regulation will apply to businesses based outside of the EU where:
Given the above, many businesses with supply chains or customers in the EU will therefore need to ensure they are meeting the regulation, regardless of UK decisions on data protection law.
Personal data from the EU may only be transferred to jurisdictions which protect that data as per EU standards.
We will publish further comment once we know more about the Brexit plan. Monitor the Information Commissioner’s Office for statements on Brexit. Internal auditors in the Republic of Ireland should continue with their plans, and may find the Data Protection Commissioner useful.
Awareness must now become action – and internal audit should be involved at all levels, to help management better understand and mitigate the related risks.
GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where feasible. We look at the features that should be included in the plan and the work that internal audit can undertake.
Asking a third party to provide a service or product can deliver important benefits – it also increases exposure to loss, theft and misuse of data.