GDPR and Internal Audit

Auditors can help their organization navigate the

compliance risks posed by Europe’s General Data
Protection Regulation.
Jan HertzbergAugust 09, 20180 Comments

Now that the May 25 deadline has passed to comply with the European Union’s (EU’s) General Data Protection Regulation
(GDPR), compliance executives may be breathing a sigh of relief. Yet the real compliance work is only beginning.
GDPR consolidates the EU’s personal data privacy protection laws and redirects the way organizations approach data privacy.
It greatly expands the privacy rights of E.U. citizens and residents, and it applies to any organization that does business with
those individuals, regardless of its location. Organizations that don’t comply with GDPR face penalties of up to €20 million or 4
percent of annual worldwide turnover, whichever is greater.
Compliance will require continued focus and effort. Internal audit can help the organization mitigate GDPR compliance risks by
identifying ways to improve controls, raising risk awareness, and assuring compliance.

Improving Controls
Internal audit can help the organization shift from the preparation phase to the implementation phase of GDPR. The regulation
specifically requires organizations to focus on these control-oriented topics:

 Accuracy and quality requires organizations to ensure data is accurate and up-to-date and that individuals can correct
their records.
 Security and privacy by design requires organizations to document decisions taken to inform EU residents about how
their data will be used and restricted. They also must implement technical, administrative, and physical security/privacy
controls to mitigate potential harm.
 Security safeguards ensure that technical and organizational measures are implemented for privacy and security.

Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information
and recommend improvements, and strengthen controls that prevent and detect data errors.

Raising Risk Awareness

The direct risks associated with GDPR relate to potential fines and reputational impact. However, by digging into the
regulation’s purpose, internal auditors can see other data protection risks.
Monitoring, Measuring, and Reporting Organizations must have a data protection officer (DPO) to lead privacy and
compliance efforts. Among the DPO’s tasks are reporting on compliance monitoring, training staff, and ensuring privacy