As compliance requirements continue to evolve, it is critical for auditors to stay abreast of the most current regulations. Efforts to implement proper privacy measures should not necessarily lead to separate information security projects completed merely for compliance reasons, but instead should be built into overall cyberrisk and resilience management. The following are 6 elements of privacy for auditors to keep in mind:
- Define personal information—Personal data has a broad definition and is defined in Article 4 of the EU General Data Protection Regulation (GDPR) as “any information relating to an identified or identifiable natural person.” Article 4 also states that an identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In other words, even a person’s IP address, hair color or religious preference could be considered personal information if, on its own or with other data, it can be used to identify a specific individual.
- Consider user control—One of the requirements that is common among privacy laws and regulations (i.e., GDPR) is the control that consumers have over their data. In addition to their “right to be forgotten”—the right to request that their data no longer be processed and be deleted—consumers can also request to inspect and correct data about themselves that organizations have collected. The auditor should review whether the organization has mechanisms and policies in place for satisfying such requests.
- Take inventory of data assets—The auditor should observe how the assets are classified and what controls have been put in place to protect and safeguard the assets and data.
- Identify the regulation or framework with which to comply—The auditor will need to set criteria to measure against, as this step will help narrow the list of requirements for the specific audit. In certain cases, only some portions of the framework will apply to the organization and the auditor will need to further identify which ones. If the auditor is performing an overall audit of security and privacy, that auditor must make sure to include criteria from all frameworks that are applicable to the business.
- Verify workflows and components—The auditor is required to look into the documentation describing the controls related to data handling. Each component category needs its own policies and procedures and it is very important for the auditor to ensure that components and related workflows exist.
- Analyze risk assessment—One of the key activities for data privacy assessment is to look into the risk assessment conducted by the organization. This creates the opportunity to understand the potential risk factors identified and the mitigation plan.
The auditor should create written questionnaires to be completed by the different business units that handle sensitive data. The questionnaires should include questions such as:
- What kinds of personal data are being collected and for what purposes?
- What kinds of personal data are being processed and for what purposes?
- What kinds of personal data are being stored and for what purposes?
- How are the personal data collected, processed and stored?
- What kind of consent does the individual require?
- What steps are taken to ensure the accuracy and integrity of the stored data?
- How is the data disposed of when it is no longer required?
Follow-up interviews may be needed to clarify or expand on the provided answers, or to understand the rationale behind specific policies or procedures. The auditor’s goal is to determine whether the policies align with the actual processes and workflows.
A matrix is an effective tool for organizing these findings and recommendations and can include useful notes and resources. When auditors maintain current knowledge and organizations conduct training sessions to keep their employees informed of privacy issues, compliance becomes less of a burden.
Designating certain employees as “owners” of different policies, who ensure that those policies are current and reflect any regulatory changes as well as existing enterprise practices, can also be helpful.
Comprehensive cyberrisk and resilience management should be planned and executed with privacy in mind at every level of the organizational hierarchy.
Hafiz Sheikh Adnan Ahmed, CGEIT, COBIT 5 Assessor, CDPO, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a governance, risk and compliance (GRC); information security; and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter and volunteers with ISACA Global as a Topic Leader for the Engage online communities.
He also serves as a member of the ISACA IT Advisory Group and the Chapter Compliance Task Force, an ISACA Journal article reviewer and a SheLeadsTech Ambassador. Ahmed previously served as a chapter award reviewer and on the CGEIT Quality Assurance Team. He can be reached via email at This email address is being protected from spambots. You need JavaScript enabled to view it. and LinkedIn.
