Basics: A Primer On Privacy

However, internal auditors asked to assess personal data privacy may wonder where to start. Auditors who are new to the privacy landscape or new to an organization where the data privacy risk management picture is unclear, can assess several areas to determine whether personal data privacy risk is effectively managed.

Personal Data

GDPR only applies when data processing concerns personal data. GDPR defines personal data as “any information which is related to an identified or identifiable natural person.” This includes pieces of information, (a credit card number, for example) that could possibly be combined with other data points to identify someone, even if the company collecting it does not have enough pieces to identify an individual. 

It is important to note that GDPR distinguishes between personal information and sensitive personal information. Sensitive data is subject to specific processing conditions, and as defined by GDPR, it includes: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely to identify a human being, health-related data, and data concerning a person’s sex life or sexual orientation. 

One of the first steps in assessing risk related to personal data is determining whether the organization collects sensitive personal data, as this will require greater care in its handling and justification for collecting it. 

Controller or Processor 

GDPR requirements for organizations that handle personal information vary depending on whether they collect the data for their own purposes or on behalf of another organization. The controller is the natural or legal person, public authority, agency, or other body that, alone or with others, determines the purposes and means of the processing of personal data, while the processor processes personal data on behalf of the controller.

Multiple organizations may act as joint controllers, and in some cases, a single organization may be both a controller and processor. Internal audit should ensure that data privacy-related policies and practices accurately reflect the organization’s role.

Legitimate Interest

Organizations must have a legitimate business purpose for collecting, processing, and sharing personal information. Examples of legitimate business interests include performing services that a client or customer has agreed to, processing personal data for direct marketing purposes, or analyzing data to prevent fraud or to ensure the network and information security of IT systems.

Disclosures

Organizations that handle personal information must disclose what they collect and process and with whom they share it. This should be done using clear language that is easy to find, typically in the form of a privacy policy located on the organization’s website. The privacy policy should also explain the rights of data subjects — the people to whom the personal information refers.

Data Subject Rights

Under GDPR, data subjects have the right to request that their personal data be deleted, corrected, or restricted from further processing. This can occur before collection (i.e., opt out) or after the data has already been collected. Therefore, auditors should determine if there is a process in place for users to limit or opt out of sharing personal data collection before collection. In a website context, this may look like a web form (i.e., the familiar “do not sell or share my information” interface) that provides a way for users to indicate their preferences or an option to decline cookies. 

Additionally, organizations should establish a process by which users or data subjects, after the collection of their data, can request that it be deleted, corrected, or restricted from collection, as well as an internal process for documenting these requests and responding to confirm that the request was carried out. An internal data subject request policy should contain all of these procedures.

Data Protection

Controls must be in place to protect personal data and prevent unwanted disclosure. This includes appropriate data classification, as well as technical controls to prevent data breaches. Personal information should be considered confidential or restricted based on the organization’s classification model. 

Awareness training is another key control to ensure employees understand the risks and their role in protecting private data, including the appropriate procedures for data retention, deletion, and disposal. 

Third-party risk management goes hand in hand with internal controls, if the business shares personal information (including that of employees) with partners, suppliers, government agencies, and other parties. Any personal information shared with a third party must be: 

• Shared for a legitimate reason.
• Protected during the transfer to the third party. 
• Protected and used by the third party in a prescribed manner. 

Language in third-party contracts specifying the ground rules for data sharing and expectations around privacy controls is a critical safeguard for both parties. A “right-to-audit” clause in those contracts is even better.

Basic Questions to Ask

Internal auditors trying to understand and assess data privacy compliance risk for the first time should start with these questions: 

• Do we act as a data controller or processor? 
• Do we have a legitimate reason for collecting personal data or processing personal information on behalf of another organization?
• Do we disclose what data we collect/share and the reasons for that?
• Do we make people aware of their rights related to the personal data we collect?
• Do we give people a user-friendly way to opt out of personal data collection?
• Do we have a user-friendly tool or method for people to request that their personal data be erased or corrected?
• Do we have appropriate procedural and technology controls in place to protect personal data?
• Do we ensure that any third parties we share personal data with are held to the same obligation to protect it and use it responsibly?

Data privacy compliance can be complex, and answering these questions may reveal additional controls that need to be implemented to reach maturity, based on the organization’s industry, operating model, size, and location. However, once internal auditors have determined that the answers to all of these questions is “yes,” they can confidently inform management that, at the baseline level, the organization is managing legal and compliance risk related to personal data privacy.