What is a data privacy audit?

Much like financial (SOx), cybersecurity, InfoSec, and other functional audits, data privacy audits can have multiple components:

1. Regulatory Compliance: Assessing letter-of-the-law and spirit-of-the law compliance with the many established and emerging applicable data privacy laws. These laws extend not just to the consumers that you service, but to the employees, third parties, job applicants, and other data subjects whose personal data you may process.

2. Internal Policy Governance and Compliance: Your company likely has internal policies unique to how you handle personal data. These are usually an extension of regulatory requirements, often including industry-specific best practices that help protect the business and its assets, including the personal data it processes.

3. Vendor Service Agreements: Your company may utilize vendors or may be a vendor with specific requirements concerning data stewardship. Examples include the ability to delete personal data within a set number of days after the contracting partner issues a request.

4. Certifications and Readiness Reviews: Many business partnerships require for their contractual partners to obtain certifications before entering into business together (or continuing partnership). For example, readiness reviews and internal audits are an important aspect of obtaining and maintaining ISO 27001, SOC2, and HITRUST certifications.

5. Privacy Internal Controls: Businesses with more mature privacy programs are starting to move into establishing a suite of privacy internal controls. Utilizing NIST or another accepted privacy frameworks as a guide, privacy internal controls operate in a similar fashion to their financial and security counterparts and, often, many topics such as Access Management overlap these areas. Privacy internal controls are designed to address privacy risk within the organization and part of internal audit’s job is ensuring that they are (a) designed to appropriately manage risk and (b) operate effectively. This includes detailed testing in the design and operational effectiveness of controls to ensure confidence in your organization’s privacy program and internal control structure.

Incorporating data privacy into internal audits

Internal audit teams strengthen the organization's ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and feedback (IIA Standards). This includes all company objectives and risks to those objectives, including data privacy risks. We highly encourage businesses to incorporate data privacy into their annual internal audit planning so they can be aware of their privacy risks and develop a plan to manage them. We engage with clients in a variety of ways to help in this journey, and we primarily see this manifest in the following ways:

1. Privacy Audit Universe Risk Assessment and Prioritization – We partner with internal audit teams to assess and rank the company’s privacy risks after conducting interviews with key stakeholders and reviewing all available external and internal documentation. This is also sometimes referred to as a readiness assessment. One key deliverable is a multi-year audit plan, prioritized sequentially based on assessed and comparably measured risks. This plan can then be executed by your internal team or an external service provider (like us!).

2. Privacy Internal Audit Execution (Outsourcing) – We execute the internal audit, with partnership and oversight from internal audit leadership through the completion of final deliverables and reporting. This includes stakeholder interviews, sample selection, evidence gathering, detailed testing, report writing, and presentation to leadership.

If your internal audit team is looking to expand into the world of data privacy audits, let us help you on your journey! We have many years of expertise in privacy and internal audit execution, both from a consulting perspective and as former internal audit employees in various industries. Contact us for more information!