The importance of data privacy risk management for Internal Audit

As the world gradually emerges from the effects of the COVID-19 pandemic, cybercriminals and hackers are also continuing relentlessly. The Information Commissioner's Office (ICO) reports data breaches almost every month, and with these breaches often come fines. In 2022 alone, the UK ICO has handed down enforcement notices and monetary penalties amounting to millions of pounds for issues of non-compliance with the UK GDPR that have led to data breaches.

Often these breaches can arise from the simplest user error: according to the data security incident trends report issued by the ICO during 2021-22, it was reported that 15% of the reported breaches were as a direct result of data being emailed to the wrong recipient. Others have been linked to poor management of data privacy risk, pointing to potential gaps in the approach and understanding of data privacy to enterprise risk management.

What is data privacy?

According to the International Association of Privacy Professionals (IAPP), data privacy is focused on the use and governance of personal data - for example, policies should be in place to ensure that personal customer information is being collected, shared and used only in appropriate ways. Data security on the other hand comes up with measures to secure personal data from an attacker. So, while data security plays a critical role in data governance, it does not address the issue of data privacy on its own.

So how does an organisation address data privacy in totality?

In a recent publication, ISACA put forward a methodology for the development of a privacy risk management framework which can help with governing data effectively and implementing internal and external security controls. The four management domains noted within the COBIT 2019 framework include:

1.??????Align, Plan and Organise (APO): This domain focuses on managerial actions and their alignment with the overall enterprise goals. It warehouses 14 general objectives, including managing organisational structure, budget and cost and third party management and data.

2.??????Build, Acquire and Implement (BAI): In this domain, the framework lays a strong emphasis on the changes made to organisational data and assets considering the impact of this to end-user availability and capacity.

3.??????Deliver, Service and Support (DSS): As a domain, DSS contains six objectives which are largely IT operations focused such as incident management, business continuity and resilience, process controls and security.

4.??????Monitor, Evaluate and Assess (MEA): This is the final domain which provides the evaluation mechanism for the other domains listed above and ensuring continuous monitoring end to end.

This framework provides a clear and standard methodology that can be deployed to develop a risk management approach to data privacy which will help the organisation integrate data privacy as a key subject matter in the enterprise risk management framework (RMF) and align the same with the organisational business objectives.

Role of internal audit (IA)

Beyond providing assurance and ensuring compliance to internal policies and regulation, IA needs to be seen as trusted business partners, being on the journey throughout organisation change programmes and broader strategic ‘decision-making’ so that potential data privacy issues can be identified early, before they crystalise into data breaches. The Institute of Internal Auditors (IIA) suggests ten key questions for internal auditors to ask in order to properly identify the privacy risks and design the best approach to manage them. These questions are aimed at directing the internal auditor to the areas of importance which requires to be covered in respect to data privacy.

There are some key ways in which IA can help an organisation better manage data privacy risks:

·??????Getting the buy-in of senior management and the board: For any programme to be successful, IA requires the engagement and full support of executive management and the board. A constant line of communication and liaison with the audit and management committees will position IA as strategic partners to provide guidance on how best to navigate data privacy.

·??????Improving the coverage of data privacy risks: In a survey carried out by IIA, it was noted that 48% of internal auditors either did not identify data privacy as a material risk to their organisation or did not think it was applicable. This means, in reality, that it is likely that privacy risk would not have sufficient coverage in their audit plan. This fundamentally needs to change - there is a need for IA to include privacy risk within the audit scope and necessary considerations for this should be captured in the audit plan. Before setting out the audit plan, IA should perform a comprehensive risk assessment that includes the enterprise considerations for data privacy risk, mapping them to appropriate controls. These controls should be tested alongside others during the annual audit exercise. In this way, IA can promptly identify any vulnerabilities in the organisation that can lead to a heighten likelihood of a data breach.

·??????Demonstrating compliance: This is a function that is core to IA’s business. As strategic business leaders, IA should show that the enterprise is not in breach of regulation pertaining to data privacy. The IAPP suggests that IA can work closely with the Data Protection Officer (DPO) by ensuring that compliance with the accountability principle found in Article 5 (2) of the UK GDPR is occurring effectively in the organisation. This principle provides that the data controller shall be able to demonstrate that they comply with all the seven principles of the UK GDPR.

·??????Continuous auditing: As organisations’ technology landscapes continue to evolve, our approach to auditing needs to evolve as well to consider monitoring and review of compliance efforts, rather than limiting auditors’ involvement to post-event review and assessment. It is no longer practicable to play catchup as it might be a little too late. Internal auditors can deploy the practice of continuous auditing to ensure they are meeting expectations, ready to promptly identify and address the vulnerabilities that lead to a heighten data privacy risk. Furthermore, recurrent internal audits can raise a red flag in case documentation that needs to be maintained, in line with the UK GDPR, does not reflect the latest events or management controls.

·??????Reporting and stakeholder engagement: As internal auditors, there is a need to carry the internal and external stakeholders along the data privacy risk management journey. The business relationship between IA and the DPO cannot be taken lightly. IA should test the level of awareness of the organisation on their responsibilities while providing insight on how best to keep individuals updated through timely analytics and reporting. According to the IAPP, frequent status reporting, including the evidence collected by IA, should be available to relevant internal stakeholders such as the DPO and compliance, who are engaged in GDPR compliance of the organisation. According to ISACA, specific and clear communication about the enterprise’s approach to managing data privacy is key to obtaining support from executive management and the board for the privacy risk management program. IA needs to identify ways to provide visibility on the risk terrain and the implications to the business before any new venture is put forward and agreed upon. By being part of the initial review process for business decisions, IA can help ensure that the right questions are being asked, in addition to serving as a final check to validate all questions were answered.

Lastly, another key technique that can be used is knowledge upskilling. Having a robust training plan for internal auditors can prove to be a profitable investment. IA needs to be equipped and trained on emerging topics in data privacy, how best to manage data privacy and the expectations of the regulator or public regarding personal data protection.

Data privacy is the responsibility of everyone, and IA has a critical role to play in ensuring that it is properly managed by the organisation.

Note: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.