As you will be aware the General Data Protection Regulation (GDPR) came into force 25 May 2018 – a full two years after the European Parliament passed legislation. This legislation significantly extended protection of private data, with increased responsibilities and consequences for organisations. As GDPR applies to all EU citizens, an organisation holding or processing even one EU citizen’s data must comply. The fines are significant compared to previous penalties: 4% of annual turnover or €20 million, whichever is greater.
The two years between GDPR becoming law and coming into force gave time to prepare. To this end, the Chartered IIA has been keen to provide information and support to its members, through technical guidance, blogs and events. Organisations are looking to internal audit to provide guidance and assurance on this most business-critical area.
So, what has happened since 25 May this year, and what will happen as we move into 2019? An Imperva study quoted by the Chartered IIA in Risk in Focus 2018 showed how much work remained to raise awareness. ’51% of executives and IT security professionals believed GDPR would impact their companies, 33% didn’t see it impacting them, 11% were unsure and 5% were not familiar with GDPR.’ Following on from this a study by TrustArc quoted in Risk in Focus 2019 states that only 27% of businesses in the EU reported being compliant with GDPR one month after the enforcement date of 25 May 2018. However, 74% expect to be compliant by the end of 2018 and 93% by the end of 2019.
As late as the week before the deadline, many internal auditors were concerned that their organisations had still not fully grasped the scope of GDPR. Some saw it as purely an IT matter; others referred it to legal teams. However, to comply with the spirit and the letter of the law, awareness must come from the top down.
If certain organisations were still unaware of GDPR’s meaning and importance, many members of the public were aware. Within 24 hours of GDPR coming into force, individuals brought claims against Facebook, Google’s Android operating system, Instagram and WhatsApp. Data regulators in the UK, France, Austria and elsewhere in the EU reported a sharp rise in complaints. This suggests that the public as a whole is ready to hold organisations to account. Has your organisation received any complaints from your customers, what actions have been taken, would you as internal audit be aware if they had?
There were also consequences for organisations that, keen to demonstrate compliance, contacted all customers to seek explicit permission for continued communication. This was unnecessary in many instances and led to customers expressing anger and frustration at the emails clogging up their in-boxes.
As we highlighted earlier this year in our blog Keeping current with consent, consent forms and emails are not the only tools available. Consent is only one of eight grounds for holding or processing data. The other seven are:
Some global organisations have been told by their legal teams that consent is the only avenue to compliance. Given this lack of awareness, internal auditors should be ready to support and guide with the correct advice. Seeking consent when it is not necessary could lead to significant reputational risk and – if customers leave out of irritation – financial loss. Keep in mind, too, that if your organisation has fewer than 250 employees, your regulatory obligations are fewer.
So what should internal audit be doing to help organisations nearly six months on?
Every affected organisation, whether private, public or third sector, should start with the first of the Information Commissioner's Office 12 Steps: awareness. Even the best-organised company, government department or charity, fully compliant from before 25 May, must remain aware to remain compliant. Knowing what information, you hold, why, how and where is essential.
Internal audit can and should already be involved in data protection impact assessments (DPIAs). These exercises, mandated by GDPR, should make clear on which lawful basis the organisation is holding or processing data. If your organisation is not yet fully compliant, or not able to demonstrate and document compliance, the assessments can at least show that you are acting in good faith to fill gaps and improve.
Here are the key questions that have been highlighted on data protection:
These are just some of the other ways internal audit can provide assurance.
The Information Commissioner’s Office has updated its 12 steps to data compliance:
Check if you are a Competent Authority under Schedule 7 of the DP Act 2018 or have statutory functions for any of the law enforcement purposes. If so, you should make sure that key people in your organisation are aware that as of May 2018, the law has changed.
You should document what personal data you hold, where you hold it, where it came from, who you share it with and who is responsible for it. Identify what personal data is being processed under Part 3 (of the DP Act 2018) and what is being processed under other parts of the Act and GDPR. Do you work jointly with other organisations? Do you use data processors? You may need to organise an information audit and review any contracts or agreements.
You should identify the lawful basis for your processing activity, document it and update your privacy notices to explain it, using clear and plain language.
If you rely on consent you need to consider whether this is appropriate or whether you should use another lawful basis. If consent is appropriate then you should review how you seek, record and manage consent and whether you need to make any changes. You will need to refresh existing consents if they do not meet the standard required.
You should review your current privacy notices and ensure that these are in an easily accessible form and up-to-date. You will need to include more detailed information including your lawful basis for processing personal data and retention periods unless an exemption applies.
You should check your procedures to ensure they cover all the rights individuals may have, including deletion, so that you know how to respond within the specified timescales
You should ensure that you have the right procedures in place to identify, manage and investigate a breach. You will need to have processes in place to determine whether you need to report the breach to the ICO, based on the risks to individuals’ rights and freedoms. If you decide that it is necessary to report you will need to do so no later than 72 hours after becoming aware of it. You should be prepared to notify affected individuals in some cases.
Make sure you are familiar with the ICO’s code of practice on privacy impact assessments as Data Protection Impact Assessments are now mandatory where any processing is likely to result in a high risk to the rights and freedoms of individuals.
Ensure you designate someone to take responsibility for your data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You are now required to have a Data Protection Officer (unless you already have one under the requirements of the GDPR or a specific piece of European law enforcement legislation),
You should ensure that you are able to keep logs of processing operations in automated processing systems. This will include a log of any alterations to records, access to records, erasure and disclosures of records unless an exemption applies.
You should review procedures for transferring or sharing personal data across borders (either with relevant authorities or others) to ensure that they are compliant.
If you are undertaking sensitive processing you will need to ensure that you are compliant with the requirements of the legislation including having an appropriate policy in place.
Finally, the ICO’s Guide to the GDPR is a 'living document', so do bookmark it and check back regularly to keep abreast of updates.
Information Commissioner's Office:Download PDF