Skip to Content

​Editor's Note: GDPR Is Just the Beginning

Articles Anne Millage Mar 29, 2019

It is no surprise that cybersecurity and data protection remain top worries among chief audit executives (CAEs) responding to this year’s IIA North American Pulse of Internal Audit report.

Seventy percent are highly concerned about the potential for reputational harm stemming from an inappropriate disclosure of private data. What is surprising is that CAEs are far less concerned about compliance with new data protection rules. Nearly 50 percent of respondents say their organizations have minimal or no concern. 

Almost a year after the European Union’s General Data Protection Regulation (GDPR) went into effect, organizations are feeling “GDPR’s Global Reach.” And, it’s just the beginning. China has introduced regulations on cybersecurity, data protection, and cross-border data transfer that are reflective of GDPR. Brazil has a new General Data Protection Law that will go into effect in early 2020, and new and revised regulations are coming out of Australia and Japan, among many others. And, in the U.S., the California Consumer Privacy Act will take effect next year.

“Compliance requirements like GDPR are forcing changes in the way data is handled in many organizations,” Jan Hertzberg, a privacy consultant, tells author Arthur Piper. “For CAEs, it is not just about data privacy, but data integrity throughout the business.”

The many new data privacy regulations “highlight the need for organizations to get their data protection practices in order,” says Pam Hrubey of Crowe in this issue’s “Eye on Business.” Hrubey says organizations tend to have common challenges relating to data protection. She and Mike Maali of PwC consider those challenges and how organizations can safeguard information, as well as internal audit’s role in privacy governance. 

In the Pulse report, concern about GDPR compliance escalates in line with the size of the respondent’s organization. In organizations with more than 50,000 employees, 62 percent rated compliance as a high concern compared to 29 percent who rated it that way overall. This suggests that larger organizations are more likely to have international operations. However, for others with international operations, there also could be some misunderstanding of when these new rules apply, as they are based not on the location of the organization, but on the location of the customer whose data is being gathered. To read the full 2019 Pulse report, visit

On another note, it’s time once again to recognize high achievers in the profession. Nominations for Internal Auditor’s 2019 Emerging Leaders are now open. See the opposite page to learn how to nominate. Tell us who are the best and brightest in your internal audit functions and look for the article featuring this year’s leaders in October.

Anne Millage

Anne Millage is editor in chief of Internal Auditor.