GDPR: have you addressed key risk areas?
Guest blog by Anthony Blenkey, CIA CMIIA QIAL | 28 February 2018
Scanning the horizon for emerging challenges is one way of mitigating risks and supporting management in delivering business objectives. The introduction of the GDPR in May 2018 is one future risk we've been helping clients with for some time. Internal auditors have a pivotal role to play in fostering a positive approach to the GDPR and assuring management implementation activities.
Getting your data protection policies, processes, procedures and structures right from day one is a fundamental aspect of GDPR compliance. Brexit will have little impact on GDPR obligations and compliance requirements, as the UK Data Protection Bill is set to reflect the European legislation. Companies using, or holding European citizens' personal information must be ready for the new regime from May 2018.
What are the risks of not complying with the GDPR?
The biggest risk of failing to meet the GDPR’s standards by 25th May 2018 is the imposition of a punitive fine - up to €20 million or 4% of your global annual turnover. Organisations could also suffer a serious loss of reputation, which for some could be just as serious as a fine.
You need to consider the 12 key steps for achieving GDPR compliance, with data mapping a core activity. Internal audit has a key role here in providing assurance to management, because of the function’s ability to scrutinise information and undertake validation checks. This includes identifying any compliance gaps so that remediation actions can be taken in good time.
Based on our work with clients, we have identified a number of potential weaknesses that could lead to GDPR compliance issues. These include:
- Knowledge gaps in relation to the personal information the business holds and where this information is maintained and managed within the organisation. Information asset management will need to be agile and flexible. Has your business made sure that current hardware and software will be able to cope with the rigour required after May 2018? For example, organisations could face a significant increase in information requests which must be addressed in a prescribed time frame.
- Lack of preparation around communicating privacy to your external stakeholders. Has your privacy policy been reviewed to ensure it will be GDPR compliant?
- Consents not up to date and/or GDPR compliant. For example, an explicit opt-in may be required in some situations. Is your business documenting the consents obtained so you have a record of these?
- An out of date policy for how to respond to a data breach. Will this policy be able to meet the new data breach reporting deadlines set under GDPR? Is everyone aware of the data breach policy throughout the organisation?
- Failure to appoint or train a Data Protection Officer (DPO) or Data Compliance Officer (DCO). If a DPO is required due to the size of your business, has responsibility been designated for data protection to an individual within the organisation? Even if a DPO is not required, a DCO will be. Although this is a lesser role it is still an important one. Has your organisation considered who this will be?
One final but fundamental question businesses are being asked and indeed asking themselves is: do we as an organisation (as data controller), use any third party data processors? If yes, have we ever sought reliance that these third parties are using the data as they should be and are compliant with data protection regulations? If internal audit has contractual access to the third party providers, then it may be time to undertake a review. An assurance report that third parties are using the data as they should and are compliant with all data protection laws can really add value.
The 100-day countdown to the GDPR ‘go live’ deadline has now passed. A limited amount of time remains to support the business in achieving compliance before the new legislation comes into effect. Internal audit has a key role to play in not only helping management to prepare, but also providing boards with reassurance that organisational controls are sufficiently robust to address any new GDPR compliance risks.
