GDPR – Mountain or molehill?
Technical blog by Liz Sandwith, chief professional practice advisor | 3 March 2017
On Tuesday morning (28 Feb) I was at the Shard in London to hear the Protiviti presentation that sought to prepare us for General Data Protection Regulation (GDPR), which comes into effect in May 2018. They had some sobering messages.
One was that if our organisations haven’t as yet completed a gap analysis then it is highly likely that we won’t be compliant in time for May 2018.
Protiviti did some analysis looking at a recent data protection breach and applied the future fines. If we were now post-May 2018, the organisation could have been fined £1.9bn!
Some other key issues coming out of the presentation:
- Reporting a data breach within 72 hours – What does this mean? Do we have to report all data, sensitive and/or personal? And what if we don’t know the extent of the breach within the 72 hours? Protiviti say that the average time to detect a breach is 201 days, so the 72 hours must surely relate to when we are made aware of the breach.
- Organisations with more than 250 employees will need to appoint a Data Protection Officer (DPO) who will link into senior management and the regulator. Hopefully there will also be some liaison between the DPO and Internal Audit!
- Data Protection Impact – Have we undertaken a risk assessment? What did it tell us? Do we know where our potentially high risk sensitive personal data is? What if it isn’t in the UK, but elsewhere in Europe? One of the points I picked up was that there is an age separation in relation to online data sharing, <35 years apparently are less conservative about sharing information, whereas those of us over 55 years are more conservative about what we share and with whom.
- Data Encryption – if data is encrypted but lost there might not be a requirement to report the data breach. But what if the encryption is cracked? It is then a breach. How will we know?
One of the other challenges we need to consider is that it will no longer just be data controllers who are accountable, but also data processors. So we will need to understand, within our organisations, where we are the data controller and where we are the data processor. This might not be as simple as it perhaps at first appears.
For me, sitting in the room, wearing my internal audit hat, the lasting thoughts I took away with me were:
- Have we as internal auditors sufficiently briefed the Board and the Audit Committee about GDPR?
- Internal Audit needs to undertake a top-down risk assessment. So what will that do to the delivery of our 2017/18 internal audit plan?
- The time spent building relationships with Board and Audit Committee will now be incredibly valuable
- As internal audit, do we have the ability to support the DPO to drive change and to empower them to act?
- It doesn’t end at May 2018. Moving forward the Board and Audit Committee will require an increased level of assurance around internal control, compliance and reporting processes. Remember, the sword of Damocles is potentially hanging over us all in terms of fines if we get it wrong, make a mistake or take our eye of the ball.
- Have we done enough? What do we need to do today? What is the organisation looking for from internal audit in terms of today, May 2018, and going forwards?
Needless to say, sleep was in short supply Tuesday night!
View the slides from Protiviti's presentation, GDPR - What should internal audit do? (pdf)
Read our latest guidance on auditing cyber security
Content reviewed: 24 October 2018