Data privacy is one of the most newsworthy business topics in the world. Not only does it make a good story – anything from the Sony Pictures Entertainment hack to Edward Snowden’s revelations about the US government harvesting customer information – but it also affects millions of people (this data visualization outlines the major leaks of the past decade).
The high risk and high likelihood of this threat affecting any large firm means it’s no wonder that internal audit and risk management teams say “data privacy” is the number one risk they plan to focus on in the next 6 to 12 months, according to CEB’s “Audit Plan Hot Spots” report.
The conditions are ripe for Internal Audit to get involved: only 30% of data privacy officers are satisfied with their privacy programs and 72% of companies audit privacy controls “less than annually” or “not at all.”
The Importance of Data Privacy and Understanding Risk
Data privacy is something that all firms need to get right. The use of vast data sets to inform business decisions can create big advantages for companies by helping to anticipate customer needs and understand relevant trends. If inadequate privacy controls and poor data governance compromise the ability to do this, companies stand to fall behind their competitors, and fall foul of the law in countless countries.
And these privacy problems can be far-reaching and expensive: lost business, regulatory noncompliance that leads to big penalties, and a drain on management attention. The indirect costs can be 10 times larger than that of the initial response to the breach itself, according to CEB research.
Furthermore, as companies continue to increase the collection, use, and storage of personal information, regulators around the world are attempting to keep pace. This just adds an additional layer of complexity as multinationals could find themselves exposed to numerous conflicting legal requirements.
Case in Point: The ‘Safe Harbor’ Ruling
A good illustration is the October 6th ruling from the European Court of Justice that invalidates and suspends the 15-year old “Safe Harbor” agreement that allowed the personal data of Europeans to be stored in the US by companies that declare they abide by the principles of the EU’s protections.
Because of this decision: “In theory, American companies with European customers could now end up trying to follow 20 or more different sets of national data-privacy regulations,” according to Business Insider. The article claims that, “up to 4,500 US companies — not just tech firms — have relied on Safe Harbor.”
What Audit Teams Should Do
There are four things that internal audit teams should do to help their firm minimize the risk.
Review the processes use to collect, analyze, store, and share personal information (including employee information).
Ensure the appropriate controls are integrated into all projects and initiatives.
Test the effectiveness of privacy training and awareness campaigns.
Make the appropriate improvements in employee awareness and behaviors related to privacy risks.
And then teams should add three components to their 2016 audit plan.
Personal information mapping review: Make sure that all the personal information your organization has collected has been classified, added to an inventory, and had its location recorded.
Make sure that each data type has an owner who is responsible for monitoring access and approving requests to share that information with third parties.
Assessment of information governance: Don’t let your company approach the issue in a disjointed manner.
Confirm that your firm has identified a single individual to coordinate how privacy risks should be managed between the data privacy team (often reporting up into the general counsel) and the information security team (often reporting into the CIO). Make sure that each function has clearly defined roles and responsibilities and that no gaps in coverage or redundancies exist between the two.
Test employee behavior: Evaluate whether or not training initiatives lead to the right kind of “privacy aware” employee behavior.
Make sure that this training targets high risk employees and that this education helps employees relate what they learn to their day-to-day responsibilities.