Over the next nine months, organizations will spend billions of dollars to comply with the General Data Protection Regulation, or GDPR — a European data protection and privacy regulation with the potential to be as disruptive to companies that conduct any kind of personal data exchange with the EU as the financial reforms created by the Sarbanes-Oxley Act were back in 2002. For starters, it is estimated that over the next year, companies in Europe will hire 28,000 data protection officers (DPOs) — one of the requirements of the GDPR. And that’s just one of the changes companies will have to make.
Protiviti held a popular webinar last month to discuss what GDPR is, how it will affect companies and how companies should prepare for this significant change. Scott Giordano of Robert Half Legal and Jeff Sanchez provided an overview of the regulation in a previous post. Here, we want to focus on GDPR’s implication for internal audit specifically. Two-thirds of the attendees at our webinar were from the internal audit function — not a surprise, as this is the group that will be providing assurance over the new controls once they are implemented, and is well positioned to provide guidance during their design and implementation.
The effects of this new law will be felt across all organizational departments, affecting policies, procedures, marketing, analytics, vendor contracts and customer transactions, among other things. The internal audit function, by virtue of its deep departmental access, compliance and risk knowledge, and board-level credibility, can play a significant role in both preparing for the change and monitoring compliance after the law is enforced, beginning May 25, 2018.
Between now and May 2018, internal audit can play a key role in guiding company strategy, serving as a strategic partner, helping the DPO, raising awareness of the new law, talking about potential risks, identifying gaps in the company’s compliance program, and helping to drive change within the organization.
The majority of attendees we polled during the webinar (66 percent) said their companies are still in the early planning and discovery phase — conducting privacy risk assessments, identifying applicable laws, mapping data and trying to understand requirements. This is an area where internal audit can make a big difference.
Once the risks and compliance requirements have been identified, internal audit can add value by facilitating a gap analysis. With roughly a quarter of companies at this stage, common gaps we have seen so far include:
- General lack of awareness related to the GDPR requirements (in particular among customer-facing functions, e.g., sales)
- Lack of comprehensive inventory of personal data and mechanisms for how such data is being captured, stored, processed, and transmitted
- Poor data mapping, or a lack of priority in privacy design
- CRM systems not designed to accommodate the rights of data subjects
- Third-party contracts that don’t reflect new regulatory requirements, and insufficient vendor management
- Historical data that may not meet GDPR consent requirements
- Insufficient accountability in data security and privacy across all users and applications
- Security vulnerabilities during data processing
- Slow or insufficient breach reporting and communication
Only after the requirements and compliance gaps have been identified can the organization begin to implement changes and move toward compliance. Our polling questions revealed that j ustone in ten companies has made it to this phase. Internal audit can add value here by helping to shape a compliance roadmap and advising on appropriate practices to meet the requirements of GDPR.
Of course, after the regulation takes effect, internal audit will play a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.
Companies and their internal audit departments should not underestimate the effort involved in complying with this law. The cost of complying is estimated at more than $1 million for 17 percent of U.S. companies, with larger companies likely to see higher costs. Now is the time to raise awareness among all functions that will be affected, inventory personal data, review data policies thoroughly, conduct a risk assessment and identify gaps, and engage with vendors. As with any business initiative of this scope, proper governance and oversight (including executive sponsorship and a dedicated steering committee) is going to be key to the success of the GDPR program.
For more information, we strongly encourage you to watch our free archived webinar, subscribe to our blog to be part of future discussions, and try to attend a roundtable near you. It’s not too late to start, but that won’t be the case for long.