audit and assurance how to audit gdprrms.koenig-solutions.com/sync_data/trainer/qms/1752...overview...
TRANSCRIPT
© 2017 ISACA. All Rights Reserved.
A U D I T A N D A S S U R A N C E
H O W T OA U D I T G D P R
© 2018 ISACA. All Rights Reserved.
2 HOW TO AUDIT GDPR
C O N T E N T S
4 Introduction
5 Overview of GDPR
6 Auditing GDPR: Key Principles
6 /DataControllervs.DataProcessor
7 /Lawfulness,Accuracy,Fairnessand
Transparency
7 / Lawfulness
7 / Accuracy
8 / Fairness
9 / Transparency
10 /PurposeLimitation
10 /DataMinimization
11 /StorageLimitation
12 /Confidentiality,Integrityand
Availability
12 / Confidentiality
12 / Integrity
12 / Availability
13 /Third-PartyDataProcessors
14 Conclusion
15 Acknowledgments
A B S T R A C TTheGeneralDataProtectionRegulation(GDPR)introducesnewrulesthatgoverntheuseandmanipulationofpersonaldata.Auditorswillbeindispensableinhelpingenterprisesadheretotheserulesandmaintaincompliance.ThiswhitepaperexplorestheroleofauditwithrespecttoGDPRandoutlineshowauditscanbedeliveredinaneffectiveandefficientmanner.
© 2018 ISACA. All Rights Reserved.
3 HOW TO AUDIT GDPR
Introduction
FIGURE 1: KeyGDPRDomainsandRequirements
11 GDPRdefinespersonaldataas“anyinformationrelatingtoanidentifiedoridentifiablenaturalperson(‘datasubject’).”SeeGDPRArticle4(1).
TheGeneralDataProtectionRegulation2016/679(GDPR)
becameeffectiveon25May2018intheEuropeanUnion.
ItsupersedestheDataProtectionDirective95/46/EC.
TheDataProtectionDirective95/46/ECdifferedfromthe
newGDPRinthatitwasissuedasadirective,nota
regulation.Simplyput,underEUlaw,directivessetout
goalstobeachievedbyallmembercountries,whohave
theauthoritytodecideuponthenatureofimplementation.
Regulations,ontheotherhand,areactsofEuropean
Parliamentand,therefore,arebindinguponallmember
countriesoftheUnionandsupersedenationallaws.
BecausetheDataProtectionDirectivewas,infact,a
directive,therewasalackofconsistencyinitsapplication
acrosstheEU.GDPRseekstorectifythisbutmember
stateshavebeenallowedderogationsthathavetobe
justifiedongroundsofnationalinterest.
Historically,authoritieshavelaggedbehindrapid
advancesintechnologywhenapproachingdata
protectionregulation,particularlyinregardto
communicationstechnologiesthatcorporationsand
governmentsusetoconnectwithdatasubjects.
In1989,theconceptofuniversalaccesstoaWorldWide
Webwasessentiallysciencefiction.Overthelast30
years,dataprotectionlegislationhasdevelopedlittle
beyonditsinitialattemptstoaddresstraditional
communicationsystems,despitemonumentaladvances
inthecomplexityandscopeofdatatrafficoverthe
Internet.
GDPRgivesEUresidentscontrolovertheirpersonaldata11
whereverintheworldtheyortheirdatamayreside.Itnot
onlystandardizesregulationacrosstheEUandthe
EuropeanEconomicArea(EEA),italsoaffectsall
enterprisesthatprocessdatafromEU/EEAcountries.
Penaltiesfornoncompliancearesevere.Enforcement
authoritiescanimposefinesupto4percentofworldwide
revenueor€20million,whicheverishigher.
Figure 1 representskeydomainsandassociated
requirementsunderGDPR.
DPO
Yes DPO required
No
Data processor DPO required
Public sector DPO required
Store or process sensitive data DPO required
No DPO not required
Data breach
Response plan
Communicate within 72 hours of discovery
Impact assessment
Fix
Documentation
Document data processing activities
Privacy notices
Who you are
What you are doing with the data
Legal basis for storing and processing
Data retention periods
Right of complaint to the ICO
Internal processes
Information systems that store or process personal data
Identify
Secure
Monitor
Develop systems and allocate resources to validate and respond to subject access requests
Process for rejection
Process for response
Process for porting data
Process for amending
Process for erasure
AwarenessManagement awareness
Operations trainingData audit
What
Where
Why
Origin
Whom it is shared with
FormatLegitimacy
Legally entitled
Explicit consent (revocable)
Children
Verify age
If ‘global’ company, minimum age varies across states
New systems
Understand when to conduct a data privacy impact assessment (DPIA - Article 35)
Implement security by design Global companySelect lead supervisory authority
Notify local supervisory body
GDPR
© 2018 ISACA. All Rights Reserved.
4 HOW TO AUDIT GDPR
Overview of GDPR
22 TheArticle29WorkingPartyincludedrepresentativesfromthedataprotectionauthorityofeachEUmemberstate,theEuropeanDataProtectionSupervisorandtheEuropeanCommission.On25May2018,itwasreplacedbytheEuropeanDataProtectionBoard,underGDPR.
33 Goodwin,T.;“TheBattleIsForTheCustomerInterface,”TechCrunch,3March2015,https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-the-battle-is-all-for-the-customer-interface/
Today,searchandsocialmediatitanslikeGoogleand
Facebookexemplifytheubiquityandaccessibilityof
personaldata.Toaddressthisvastcapacityforacquiring,
storingandtransmittingpersonaldataacrosscountless
enterprisesandgovernmentsalike,GDPRadvancesnew
rulesthatlimittheuseandprocessingofpersonaldata
regardlesswheretheactivitiesareconducted.Auditors
arecriticalresourcesinhelpingenterprisesachieveand
maintaincompliance.BecauseGDPRisanew,complex
andcomprehensiveregulationthatimpactsmultiple
functionalareaswithinanenterprise,auditorswillhave
manyquestionsandfacenewchallengeswhenexecuting
theirduties.Thispaperanticipatesissueslikelytoarise
underGDPR,andanswersquestionsthatauditorshave
nothistoricallyfacedwhenconductingengagements.
GDPRunifiesdataprivacylawsacrosstheEuropean Union,givesindividualscontrolovertheirpersonaldata andprotectstheirprivacy.ItextendsthescopeofEUdata protectionlawtoallinternationalenterprisesprocessing thedataofEUcitizens,wherevercitizensmayreside.
Traditionally,dataprotectioninvolvedarelativelysimple
setofrulesthatenterprisesfollowedinmanaging
personaldata.Auditorsdevelopedasuiteofaudit
programstovalidatecompliancewithpersonaldatalaws,
regulationsandinternalpolicies.
GDPRlooksatalldatafromtheperspectiveofthedata
subjector“naturalperson,”pertheterminologyofthe
regulation.Thisshiftinregulatoryperspectiveimplicitly
challengesacorporateethosofself-interestthathas
traditionallyconsideredcorporateneedsfirstandthe
rightsofdatasubjectssecond.
Accordingly,GDPRforcesauditorstochangetheir
approachtopersonaldataandtheirprotectioninan
enterprise.
UntilcourtrulingsbegintointerpretandapplyGDPR,and
ultimatelyyieldacriticalmassofcaselawtoinform
auditingnormsinactualpractice,auditorsandotherswill
perhapsnothavecompleteclarityonthesetofvalidation
rules.Intheinterveningperiod,auditorsshouldconsider
lookingatGDPRinthewaythatWorkingParty2922 ofthe
EuropeanCommissionintended:asaholisticapproachto
protectingcitizens’personaldata,withtheinterestsofthe
individualatitscore.GDPRdevelopsthepremiseof
individualdatasubjectsbeingtheownersoftheirpersonal
dataandconferringrightsandresponsibilitiesonthose
withwhomthedataareshared.AsGDPRprinciples
becomeembeddedincorporateprocessesitcouldbe
saidthatfocusingontherightsofthedatasubjectnow
displaces,orperhapsreplaces,corporateself-interest.
Manyreadersmayquestiontheconceptofownershipin
theageofbigdata.
Inthelongerterm,whethertheconceptofownershipis
compatiblewiththegrowthinthedigitaleconomy,
governmentsandcorporatesshareinformationinhuge
quantitiesandatanincreasinglygranularlevel.Itisused
forsecurity,commerceandbypoliticalparties.Inmany
casesitisusedtomodelhumanbehavioratanindividual
orcollectivelevel.Forexample,recently,TechCrunch,a
digitaleconomynewssite,noted,“Uber,theworld’slargest
taxicompany,ownsnovehicles.Facebook,theworld’s
mostpopularmediaowner,createsnocontent.Alibaba,
theworld’smostvaluableretailer,hasnoinventory.And
Airbnb,theworld’slargestaccommodationprovider,owns
norealestate….Somethinginterestingishappening.”33
© 2018 ISACA. All Rights Reserved.
5 HOW TO AUDIT GDPR
Auditing GDPR: Key Principles
Thisareaofownershipvs.stateandcorporateneedwill
likelyleadtoorganizationspushingtheenvelope,which
couldleadtosomeinterestinglegalchallengesinthe
yearstocome.Butinthemeantime,auditorswillneedto
bemindfulofprofilingandconstructauditprogramsto
provideassurancethatthisareaofriskisaddressed
accordingly.
AuditingGDPRisaboutassessingthecontrolsputin
placetorespondtorisk;itshouldconsiderthetrioofrisk
(figure 2)acrossallfacetsofanenterprise:
People•
Processes•
Technology•
ProcessesPeople
Technology
Processes
Technology
Information Risk
ThiswhitepaperplaceseachofthesixprinciplesofGDPR
intoanauditperspective.Whileitdoesnotcoverallthe
elementsandnuancesoftheregulation,itdoesidentify
whereGDPRcanbeconsideredwithinanauditthatis
alreadyintheenterprise’sstrategicauditplan.Italso
suggestswhereadditionalauditsspecifictoaspectsof
GDPRshouldbedevelopedandaddedtotheoverall
enterpriseauditplan.
GDPRArticle5(2)states,“Thecontrollershallbe
responsiblefor,andbeabletodemonstratecompliance”
withGDPRbyensuringthatpersonaldataareprocessed
inaccordancewiththefollowingsixprinciples:
1 Lawfulness,fairnessandtransparency
2 Purposelimitations
3 Dataminimization
4 Accuracy
5 Storagelimitations
6 Integrity and confidentiality
Each of the above principles is explored in more detaillater in thispaper.
Data Controller vs. DataProcessorUnderGDPR,adatacontrolleris“thenaturalorlegal
person,publicauthority,agencyorotherbodywhichalone
orjointlywithothers,determines thepurposesandmeans
oftheprocessingofpersonaldata.”Thisisnottobe
confusedwithadataprocessorwho,underGDPR,isa
“naturalorlegalperson,publicauthority,agencyorother
bodywhichprocessespersonaldataon behalf ofthe
controller.”
Inotherwords,adataprocessoractsonlyonthe
instructionofadatacontroller.
Bymakingthedatacontrollerresponsible,he/sheisalso
accountable,andthissometimesfindsitselfincorrectly
referredtoastheseventhprinciple.Inreality,thecontroller
isaccountable forensuringcompliancewiththesixkey
principlesreferredtopreviously.Auditorsareconcerned
withvalidatingthelevelofcompliance.
© 2018 ISACA. All Rights Reserved.
6 HOW TO AUDIT GDPR
FIGURE 2: InformationRisk
FIGURE 3: LawfulnessMappedtoDataSubject’sRights
Lawfulness, Accuracy, Fairnessand TransparencyGDPRArticle5states,“[D]ata shall be…processed lawfully,
fairly and in a transparent manner inrelationtothedata
subject”(emphasisadded)whichisalsoreferredtoin
Articles12,13and14andRecitals95/46.
LawfulnessDependingonthelawfulbasisforcollectingdataunder
GDPR,thedatasubjecthasvariousrights.Infigure 3,
eachbasisoutlinedinGDPRisconnectedtothe
respectiverightsofthedatasubject.Auditorsmust
ensurethatenterpriseshavethesystemsandprocesses
inplacetoensurethattheserightsarenotbreached.
Lawfulness - Article 5 Public task
Vital interestContract
ConsentLegitimate interest
Legal obligation
Right to erasure
Right to portability
Right to withdraw consent
Right to erasure
Right to portability
Right to erasure
Right to object
Right to erasure
Right to object
GuidanceissuedbyWorkingParty29suggeststhat
enterprisesshouldundertakeadataaudittoascertain
whatdatatheyhold,wherethedataarestored,howthe
dataareprocessedandwithwhomthedataareshared.
TheWorkingPartyalsorequiresthatorganizations
implementsystemstofacilitatemaintenanceandretrieval
ofpersonaldata,andtheseshouldbecapableofbeing
demonstratedtothenationalsupervisorybody(suchas
theInformationCommissioner’sOffice[ICO]intheUK)
uponrequest.
GDPRrequiresthatenterprisesunderstandthebasisupon
whichtheyarecollectingandusingdataandthatthey
communicatethisinformationtothedatasubject,who
hasrightsthatmustbeprotected.Theregulationrequires
thatalltheenterprise’sprocessesrelatingtopersonaldata
beevidenced.Thisevidencemaytaketheformof
maintaining“recordsofprocessing,”which,ataverybasic
level,formaninventoryofwhatdataareprocessedon
whichsystems,wheretheyarestoredandwithwhomthey
areshared.Thisshouldprovidethenecessarysummary
ofprocessesfromwhichtheauditorcanwork.
AccuracyGDPRArticle5alsostates,“Personaldatashallbe…
accurate,and,wherenecessary,keptuptodate;every
reasonablestepmustbetakentoensurethatpersonal
datathatareinaccurate…areerasedorrectifiedwithout
delay….”Thechallengefacingtheauditoralignswiththat
ofthedecisionmaker;enterpriseshaveconsistently
soughttocomplicateanddevaluedatabyreplication.
Eachdatastreammayhavebeenreplicatedbyvarious
departmentsandindividualsfordifferentuses.Auditors
mustrecognizetheriskposedbyshadowITand
unstructureddata.
Afailuretocompletethedatadiscoveryexerciseto identifywhatinformationtheenterpriseretrieves,and processesregularlywillrepresentakeyauditrisk. Auditorsshouldseektoassessthecompletenessofthe datadiscoveryexerciseandtheactionsthatfollowed.
Figure 4 shows the records of processing for each business function.
© 2018 ISACA. All Rights Reserved.
7 HOW TO AUDIT GDPR
Business function
Link to data protection impact assessment
Consent
Source of personal data(if applicable)
Link to record of legitimate interests assessment (if applicable)
Legitimate interests for the processing (if applicable)
General description of technical and organizational security measures (if possible)
Retention schedule (if possible)
Categories of recipients
Link to contract with processor
Categories of personal data
Safeguards for exceptional transfers of personal data to third countries or international organizations (if applicable)
Categories of individuals
Names of third countries or international organizations that personal data are transferred to (if applicable)
Article 9 basis for processing special category data
Article 6 lawful basis for processing personal data
Existence of automated decisionmaking, including profiling(if applicable)
Rights available to individuals
Data protection impact assessmentAccess request
Special category or criminal conviction and offense data
Article 30 records of processing
Purpose of processing
Privacy notice
Link to record of consent
Location of personal data
DPIA progress
Link to DPIA
Therecordsofprocessingshouldlinkwiththeinformation
assetregisterandthedataauditshouldbeusedtocreate
orupdatetheinformationassetregister.
GDPRdoesnotdefinetherecordsofprocessing.Instead,
thejudgmentofeachenterpriseinconjunctionwith
guidancefromtherelevantsupervisoryauthorityisused
todeterminetheappropriaterecords.Ataminimum,the
followingfieldsarerecommendedforuseinan
informationassetregister:
Collectiondate•
Basis•
Purpose•
Deletiondate/retentionperiod•
System(s)•
Sharing—who/what/when/EU-stored?•
Formanyorganizationsandtheirauditors,thefirsthurdle
willbetoaccuratelyidentifywhatdatatheenterprise
holds,thentoascertainhowmanyversionsofthosedata
arestoredandwhereeachversionisstored.Thesecond
hurdlewillbetodeterminewhetheranyofthedatastores
reflectthesingleversionofthetruththatisaccurate,
completeandcurrent.
Auditorsshould:
Reviewtheprocessundertakenbythebusinesstolocateand•
cleansethedata
Reviewtherulesthatareputinplacetominimizetheinstance•
ofshadowITsystemsandmanageunstructureddata
Assessdataqualityannually(ataminimum).Thestrategic•
auditplanshouldcoverdataquality.Traditionally,dataquality
auditshavefocusedoncorporatedata;withGDPR,theseaudits
nowneedtocoverpersonaldata.Itcouldbesuggestedthat,
fromtheregulators’perspective,GDPRnowdisplaces,or
perhapsreplaces,corporateself-interestwiththatofthedata
subject.
FairnessIntermsofGDPR,itcanbesaidthatfairnessisachieved
whenthedatacontrollerhasputinplaceworking
proceduresfordatasubjectstoexercisetheirlegalrights
withouthindrance.
Theserightsinclude:
Rightofaccesstothedata(toknowwhatdataareheldabout1
theindividual)
Righttorectificationofthedata2
© 2018 ISACA. All Rights Reserved.
8 HOW TO AUDIT GDPR
FIGURE 4: DataAudit—RecordsofProcessingforEachBusinessFunction
Has a personal data breach occurred?
Data breachLink to record of personal data breach
Data breach notification Supervisory authority
Data subject(s)
Righttoerasureofthedata(righttobeforgotten)3
Righttorestrictionofprocessing4
Righttodataportability(tobegivenpersonaldataina5
structuredandcommonlyusedandmachine-readableformat
andtransmitsuchdatatoanothercontroller)
Righttoobjecttotheprocessingofpersonaldata,including6
profiling
Rightnottobesubjecttoadecisionbasedsolelyonautomated7
processing,includingprofiling,wheresuchprocessingmayhave
legalramificationsorsignificantlyaffecttherightsofthedata
subject
Theserightsareexercisedthroughasubjectaccess
request(SAR).WhileSARshavebeencommoninthe
UnitedKingdomforanumberofyears,albeitnotinhigh
volumesandpredominantlyrelatingtoemployment
issues,GDPRintroducesgreaterrigor.Theorganization’s
responsemustmeetrequirementsfortimescalesand
informationprovided.
A GDPR SAR audit will be an audit of processes and the
design and effective implementation of controls (figure 5).
FIGURE 5: SubjectAccessRequest(SAR)Path
Eachprocessbeginswitharequest,goesthrough
validationandresultsinaresponse.Auditorsare
interestedinevaluatingtheappropriatenessofthe
processandtestingitseffectivenessandtheconsistency
ofitsapplication.
Newapplicationsmayhaveaccessrequestpoliciesbuilt
in,butauditorsshouldascertainwhetherthese
applicationshavebeencorrectlyconfiguredandexamine
howtheyinterfacewithaSARsystemthatmayhavebeen
procuredorcreatedtomanagethisprocess.
Anareathatmayconcernmanyorganizationsisbackup
andrecovery.Thebackupindustryhasbeenpromoting
image-basedbackupsfordisasterrecovery,butthese
createchallengesinrelationtoGDPR,whereafullrestore
isrequired.Enterprisesmustputprocessesinplaceto
dealwithreapplicationofdatachangesundertherightto
beforgottenandrighttorectificationinthese
circumstances.
Auditorsshouldvalidatethatthesystemscreatedto
ensurethatpersonaldatathathavebeenputoutofreach
asaresultofaSARkeepthosedataoutofreachinthe
eventofafullrestorefrombackup.
TransparencyGDPRArticle12requiresthatanyinformationthedata
controller(enterprise)givestothedatasubject(individual)
aboutitsdataprocessingpracticesmustbeconcise,
transparent,intelligibleandineasilyaccessibleform,and
mustbeprovidedinwritingwithinonemonth,atthe
latest.
GDPRdoesnotgiveadefinitionofamonthbutRecital59
states,“Thecontrollershouldbeobligedtorespondto
requestsfromthedatasubjectwithoutunduedelayand
atthelatestwithinonemonthandtogivereasonswhere
thecontrollerdoesnotintendtocomplywithanysuch
requests.”Itdoesnotsuggestaspecificnumberofdays,
sothisisopentoorganizationstointerpret.Whetheran
organizationdefinesaspecificnumberofdaysorrefersto
acalendarmonthappearstobewithinitsauthority;
however,whateverthechoice,itshouldbedocumented
andconsistentlyapplied.
GDPRalsodoesnotexpandonwhentheclockstarts
tickingintermsofrespondingtoaSAR.However,onthe
basisthatprovidingpersonaldatatothewrongdata
subjectwouldconstituteadatabreach,itisreasonableto
assumethatanorganizationshouldundertakechecksto
validatetheauthenticityofaSARbeforeissuinga
response.Itisthenalsoreasonabletoassumethat,once
theidentityofthedatasubjecthasbeenconfirmed,the
clockstarts.
InadditiontoauditorsreviewingandvalidatingtheSAR
responselog,theyalsoneedtoconsiderwhetherthe
informationprovidedisindeedconcise,complete,
accurateandeasilyunderstandable.Ifthisisnotthecase,
thentheorganizationshouldlookatthereasonswhyand
amendaccordingly.
Request Validation Response
© 2018 ISACA. All Rights Reserved.
9 HOW TO AUDIT GDPR
44 DataGuidance,France: CNIL’s notice to DIRECT ENERGIE on collection of smart meter data “indication of likely approach of DPAs post-GDPR,” 29March2018,https://www.dataguidance.com/france-cnil-notice-direct-energie-collection-smart-meters-data-indication-likely-approach-dpas-post-gdpr/
Purpose LimitationArticle5alsostates,“Personaldata…shallbecollectedfor
specified,explicitandlegitimatepurposesandnotfurther
processedinamannerthatisincompatiblewiththose
purposes.”
Datacollectedforonepurposecannotberepurposed withoutfurtherconsent.Auditorsneedtounderstandthat the purposelimitationinGDPRisverynarrow.Thisnarrow interpretationwasunderlinedinarecentrulinginFrance regardingDirectEnergie.Thisruling maybe
viewedasasignofthingstocomeunderGDPR.
Inthiscase,CNIL(Commissionnationalede
l’informatiqueetdeslibertés)board,whichenforceslaw
ondataprotectioninFrance,issuedaformalnoticeto
DirectEnergieforfailingtoobtainconsentforthe
collectionofcustomerusagedatafromitsLinkysmart
meters,andorderedittocollectvalidconsentforthe
processing.
CNILobservedthatatthetimeoftheinstallationofthe
Linkymeter,customerswereaskedtoprovideasingle
consentfortheinstallationofthemeterandforthe
collectionofhourlyelectricityconsumptiondataasa
corollaryoftheactivationofthemeterandinorderto
benefitfromcertaintariffs;however,astheinstallation
wasmandatory,customerswereinfactonlyconsenting
tothedatacollection.Therefore,CNILdeterminedthat
consentobtainedinsuchawaybyDirectEnergiewas
invalid,asitcouldnotbeconsideredfree,informedand
specific.Inaddition,furthershortcomingswerefoundin
relationtothecollectionofdailyconsumptiondatafrom
thedistributionnetworkoperator,whichtookplace
withoutrequestingcustomers’consent.44
Forcompaniesandtheirauditors,thisislikelytobea
trickyareaandonethatwillseemuchactivityinthe
courts.Auditorsshouldbeinterestedinthesystemsthat
havebeenputinplacetovalidatethepurpose,especially
whereconsentisthebasis.Eachenterpriseshouldknow
whyitiscollectingdata,whatthedataareusedforand
whethertheirusecompliestothestatedprocessing
purpose.Thesimplestapproachistocreateascheduleof
usesofpersonaldataandlinkthisscheduletothe
personaldatastored.Auditorsshouldexpectthatrecords
areflaggedwithareferencetoadefinedpurposethatwill
inturndefinethebasis.Auditorsshouldalsoexpecttosee
evidenceofvalidationandalinktoarecordsretentionand
deletionpolicy.
Data MinimizationArticle5states,“Personaldata…shallbeadequate,
relevantandlimitedtowhatisnecessaryinrelationtothe
purposesforwhichtheyareprocessed.”
Processingshoulduseonlythedataspecificallyrequired
toaccomplishagiventask.Thus,tocomplywithGDPR,
enterprisesmustimplementdataminimizationrulesand
processesateverystepofthedatalifecycle.
Enterprisesmustlimitpersonaldatacollection,storage
andusagetowhatisrelevantandnecessaryfor
processing.Anewtrendshouldemerge—lessismore—
andenterprisesshouldnotcollectandstorepersonaldata
justincasetheymightbecomeusefulinthefuture.
Thekeyconsiderationisthatonlytheminimumdatafora
definedpurposearecollectedandstored.Forexample,
employerswhocollectsensitivemedicaldataabouttheir
employeeswillhavetoconsiderthereasonswhytheydo
so.Forexample,thequestioncanberaisedastowhether
thedataarerelevantifanindividual:
Hadahospitalstaythreeyearsagotohaveawisdomtooth1
removed
Suffersfromepilepsy2
Thefirstmaynotberelevant,butthesecondcouldbe
relevantwithregardtosafeguardingtreatmentofpatients
inthefuture.Eachindividualscenarioneedstobe
consideredonitsownmerits.
© 2018 ISACA. All Rights Reserved.
10 HOW TO AUDIT GDPR
Thekeyfortheauditoristoassesstheprocessesand
associatedrulesthathavebeenestablishedtovalidate
thedatacollected.
Anenterpriseshouldbeabletocreateasetofpurposes
thataregovernedbyauditablerulesandassignthese
rulestoeachdatasource.
Storage LimitationGDPRArticle5states:
Personal data shall be kept in a form which permits
identification of data subjects for no longer than
necessary for the processing purposes; personal
data may be stored for longer periods insofar as the
personal data will be processed solely for archiving
purposes in the public interest, scientific or
historical research purposes or statistical purposes.
Thekeyphrasetoconsiderhereis“permitsidentification.”
Auditorsshouldconcludefromthisthatsolongasthe
systemsandprocessesworktoanonymizethedataata
givenpointintimethenitisacceptabletokeepandutilize
thedataformodeling.InthecontextofGDPR,the
systemsandprocessesthathavebeenputinplacemust
prevent:
Singling out—Isitpossibletoisolatesomeoneinparticular•
throughthedata?
Linkage—Isitpossibletolinkatleasttworecordsconcerning•
thesamedatasubject?
Inference—Isitpossibletodeduceinformationaboutone•
person?
Oncedataareanonymized,GDPRnolongerapplies,but
whendataaretrulyanonymizedtheyareconsideredby
sometohavelostmuchoftheirvalue.
Onesolutiontothisispseudonymizationthatinvolves
replacingpersonallyidentifiabledatawithinadatarecord
withartificialidentifiers,orpseudonyms.Thepseudonyms
makethedatarecordsunidentifiablewhentheyare
shared,butthedatacanberestoredtotheiroriginalstate
eventually,allowingindividualstobereidentified.This
whitepaperdoesnotexplorethisconcepttoanygreat
lengthexcepttosaythatpseudonymizationmay
significantlyreducetheriskassociatedwithdata
processing,whilealsomaintainingthedata’svalue.
Auditorsshouldbeconcernedwithvalidatingthese
processesandtheirconsistentapplication.Auditors
shouldapproachwithcautionandconsiderretentionfirst
andforemostintermsofotherlegislationandregulation
beforeGDPRandtheenterprise’sneeds.GDPRonly
replacesexistingdataprotectionlegislationanddoesnot
overwriteotherexistinglegislationsuchasthatrelatingto
recordretention(e.g.,fortaxpurposes).
Anenterpriseshouldbuildintoitsrecordsretentionand
deletionpolicies(bothmanualandelectronic)therules
thatensurecompliancewithlegislationandregulation.
Auditorsarefamiliarwitharecordsretentionreviewin
thatitcovers:
Allmanualandelectronicdata,includingemails•
Industryorsectorstandardsand/orbestpracticewhere•
retentionissubjecttospecificrequirements
Thesystemsandtechnologies,inturn,supportbasic
internalandexternalcompliancerequirements.For
example,they:
Providewaystotrackandauditretentionmanagement•
Automateandenforcerecordsdestructionpolicies•
Enforcesecurityrequirementssuchasaccesscontroland•
tracking
Recordandauditforphysicalandelectronicrecords,and•
securityformodificationanddeletionrightswithtracking
Whereelectronicdatarecordingsystemsareusedand
offerfacilitiesallowingretentionperiodstobeset,the
auditorshouldconfirmthatthefacilitiesarebeingused
andtheconfiguredretentiondatesconformtothepolicy’s
datareviewrequirements.Inaddition,itisincumbenton
theauditortoensuretheproceduresarenotonlyfollowed
butadequate.Istheactualdestructionofpersonaldata
properlycarriedoutinaccordancewiththeenterprise’s
policy?DoestheenterprisedisposeofITsoftwareand
hardwareinamannerthatfullyconformstothe
enterprise’spolicy?
© 2018 ISACA. All Rights Reserved.
11 HOW TO AUDIT GDPR
EnterprisescaneasilyfailtocomplywithGDPRbyfailing
tosafeguardpersonaldataupondisposalofhardware
andsoftware.Differentcountrieshavetheirown
standardsfordisposalofdataassets;forexample,many
countrieshaveenactedoradoptedwastedelectricaland
electronicequipment(WEEE)lawsandregulations.
Thebusinessriskrelatedtoassetdisposalcanbe
substantialandfallsintotwomaincategories:
Data destruction—GDPRrequiresthatdatamustbeirretrievably1
destroyedpriortoITequipmentdisposal.
Asset disposal—TherevisedWEEEUKassetdisposallegislation2
mandatesthatbusinessesmustdisposeoftheirredundantIT
equipmentaccordingtostringentgovernmentdisposal
standards,havingalreadydestroyedthedatausingexacting
approvedmethodologies.
Confidentiality, Integrity andAvailabilityAnotherprinciplecontainedinArticle5concernsthe
integrityandconfidentialityofpersonaldata.This
principlecanbesummarizedasfollows:Personaldata
mustbeprocessedusingappropriatetechnicaland
organizationalsecuritymeasures,includingprotection
againstunauthorizedorunlawfulprocessingandagainst
accidentalloss,destructionordamage.
Auditorsandsecurityprofessionalsarefamiliarwiththis
area—therequirementsandbenefitsofkeepingdatasafe
andaccessibleandmaintainingtheirintegrity.But,this
has,forthemostpart,beenrestrictedtobusiness
sensitivedataandintellectualproperty(IP),withlittleor
nofocusonpersonaldata(unless,ofcourse,thebusiness
isinpersonaldata,suchashealthcare).
Auditorsareawareofthethreefundamentalprinciples
underpinninginformationsecurity:confidentiality,integrity
andavailability(CIA),knownas“theCIAtriad,”aconcept
developedmanyyearsago.Theinterestingthingfroma
GDPRperspectiveisthattheregulationappearstobe
fromthisconcept.
ConfidentialityInthecontextofGDPR,confidentialityisaboutprivacy.
Thepurposeofthisprincipleistoensurethatdataare
accessibleonlytopeoplewhoareauthorizedtoaccessit.
Forexample,apatient’smedicalhistoryissomethingthe
patientnormallywantskeptprivate,soonlyafewpeople,
suchasadoctortreatingthepatient,shouldhaveaccess
toit.
IntegrityGDPRrequiresdatatobeaccurateanduptodate.
Enterprisesshouldavoidmakingmultiplecopiesofthe
datawherepossibleandshouldalsobewaryofenriching
thedatainawaythatextendsbeyondthestatedpurpose
ofthedata’scollectionandprocessing.Therequirement
thatthecontrollershouldbeabletodemonstratethatthe
purposehasnotbeenextendedaddsanextrafacettothe
CIAtriad,inwhichintegrityreferstotheaccuracyandthe
reliabilityofdataorinformationinthesystembutdoes
notconsidertheoriginalpurposeforwhichitwas
collected.
AvailabilityInthecontextofGDPR,availabilitymeansexactlywhatit
doesinasecuritycontext:Itisavailabletoauthorized
individualswhenrequired.But,inGDPR,availabilityalso
referstoaccessibilityofdatasubjectstothedataand
informationheldaboutthem.
In the GDPR context, an organization will be judged as having a flawed process for dealing with SARs if it fails to provide a complete and accurate data set within the defined response time of one month.
Aswithconfidentialityandintegrity,interruptionsin
availabilitycanhappenwithoutanyintentionofdoing
harm.Forexample,acloud-basedservicecanexperience
technicaloutagesthatimpacttheavailabilityof
informationsystemsusingaplatform.Otherconcerns
canincludepoweroutagesandnaturaldisasters.So,from
aGDPRperspective,whatcontrolsareinplacetoprovide
resilience?
© 2018 ISACA. All Rights Reserved.
12 HOW TO AUDIT GDPR
ISACAhasproducedapublicationtitledInformation
Security Management Audit/Assurance Program,55 whichisagoodbasisforundertakinganISMauditandcaneasily
beextendedtoencompasspersonaldata.Thescopeof
theprogramisextensivebut,forGDPRneeds,theauditor
shouldfocusonpersonaldataandinformation:
Informationsecuritymanagement—Processesassociatedwith•
governance,policy,monitoring,incidentmanagementand
managementoftheinformationsecurityfunction
Informationsecurityoperationsmanagement—Processes•
associatedwiththeimplementationofsecurityconfigurations
Informationsecuritytechnologymanagement—Processes•
associatedwiththeselectionandmaintenanceofsecurity
technologies
Inadditiontothesetopicsjustlisted,itwillalsobe
necessarytoundertakethefollowingdiscreteauditsto
supporttheassuranceopinion:
Identityandaccessmanagement•
Securityincidentmanagement•
Networkperimetersecurity•
Systemsdevelopment•
Projectmanagement•
ITriskmanagement•
Asset/Datamanagement•
Vulnerabilitymanagement•
Third-Party Data ProcessorsUnderGDPRArticle28,controllersmayappointonlythose
processorswhocanprovide“sufficientguarantees”to
meettherequirementsofGDPR.Processorsmustact
onlyonthedocumentedinstructionsofthecontroller,and
theycanbehelddirectlyresponsiblefornoncompliance
withGDPRobligationsorthecontroller’sinstructions.In
theseinstances,processorsmaybesubjectto
administrativefinesorothersanctionsandliabletopay
compensationtodatasubjects.
WhatdoesArticle28meaninpracticeforthedata
controller?Datacontrollersareresponsiblefor:
Knowingwhothedataprocessorsare•
Knowingwhatinformation,theenterpriseissharingwiththem•
Knowinghowtheyareprotectingit•
ConsideringhowGDPRcanbeusedtomanageriskand•
complianceinthesupplychain
Auditorsneedtosatisfythemselvesthatthecontracts
registerismaintained,completeanduptodateand
containsarobustapproachtoadditionsanddeletions.
Auditorsshouldexpecttoseethatasupplierrisk
assessmenthasbeencompletedthatservestorankeach
supplierintermsofdatarisk.Ifthereisanydoubt,the
auditorshouldselectasampleandaskthevendorto
completeaGDPRcomplianceanddatasecurity
questionnaire.
Notallthird-partydataprocessorswillprocesspersonal
data.Theauditorshouldensurethatprocessorsof
personaldataareflaggedinthecontractsregister.The
registershoulddocumentthedatacategory,recordthe
processingactivitiesundertakenandlinktotherecordsof
processingsystem.Becausebreachnotificationisa
criticalriskarea,theauditorshouldmakesureittoois
coveredinthecontractsregister.
Auditorswhorelyoncompliancewithinternational
standardssuchasInternationalOrganizationfor
Standardization(ISO)/InternationalElectrotechnical
Commission(IEC)27001orattestationsshouldensure
thatthescopeisappropriate,thecertificationisuptodate
andthecertifyingbodyisaccredited.Inaddition,relative
toaserviceauditor’sreport,itisadvisabletoconfirmthat
theauthorhastheappropriateskillsandthereport’s
scopeissufficientinthatitcoverstheareasofthe
organizationthatpertaintotheserviceprovision.Itisalso
wisetocheckthattheperiodcoveredbythereportis
withinthepast12months.
Theauditorshouldalsoasktoinspectthethirdparties’ GDPRframeworkpolicytoensurethat,ataminimum,it
includes:
ITsecuritypolicy•
Recordsmanagementpolicy•
Businesscontinuitymanagementanddisasterrecovery•
© 2018 ISACA. All Rights Reserved.
13 HOW TO AUDIT GDPR
Breachresponseplan
Privacypolicy
•
•
55 ISACA,Information Security Management Audit/Assurance Program,2010,www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx
ConclusionGDPRdoesnotreflectawholenewphilosophyregarding
auditingpersonaldata.Rather,itbuildsuponthebasic
applicationofgoodinformationgovernancepractices,
albeitwithagreateremphasisontransparencythanan
auditormighthavepreviouslyencountered.
ProvidingauditassuranceonGDPRisnotaone-off
process;theregulationrequiresauditorstoconsider
personaldatathroughouttheenterprise’sannualaudit
plan.WhilesomemightarguethatprocessingaSARis
relativelynew,othersmightcounterbysayingthatthe
SARisjustanotherelementofmanagement
information/reportingand,assuch,needstobeaccurate,
conciseandtimely.Thedistinctionisthattherecipient
happenstobeamemberofthepublicratherthana
memberoftheboardoraregulatorybody.
Auditorswillbebetterservednottothinkintermsof
GDPRbutratherofdataandtheapplicationoftherules.
© 2018 ISACA. All Rights Reserved.
14 HOW TO AUDIT GDPR
Acknowledgments
Lead DeveloperSteven ConnorsFFA,FFTA,FIPAITPartner,UnitedKingdom
Expert ReviewersGraham CarterCorporateISRiskandComplianceManager,UnitedKingdom
Jo Stewart-RattrayCISA,CRISC,CISM,CGEIT,FACSCPDirectorofInformationSecurityandITAssurance,Australia
Laszlo DelleiCCISO,ITILPartner,Budapest
Scott RosenmeierCISSP,ISSAP,ISSMPSeniorInformationSecurityManager,Germany
Michael J. PodemskiCIPM,CIPTSeniorManager,AdvisoryServices,USA
ISACA Board of DirectorsRob Clyde, ChairCISMClydeConsultingLLC,USA
Brennan Baybeck, Vice-ChairCISA,CRISC,CISM,CISSPOracleCorporation,USA
Tracey DedrickFormerChiefRiskOfficerwithHudsonCityBancorp,USA
Leonard OngCISA,CRISC,CISM,CGEIT,COBIT5ImplementerandAssessor,CFE,CIPM,CIPT,CISSP,CITBCM,CPP,CSSLP,GCFA,GCIA,GCIH,GSNA,ISSMP-ISSAP,PMPMerck&Co.,Inc.,Singapore
R.V. RaghuCISA,CRISCVersatilistConsultingIndiaPvt.Ltd.,India
Gabriela ReynagaCISA,CRISC,COBIT5Foundation,GRCPHolisticsGRC,Mexico
Gregory TouhillCISM,CISSPCyxteraFederalGroup,USA
Ted WolffCISAVanguard,Inc.,USA
Tichaona ZororoCISA,CRISC,CISM,CGEIT,COBIT5Assessor,CIA,CRMAEGIT|EnterpriseGovernanceofIT,SouthAfrica
Theresa GrafenstineISACABoardChair,2017-2018CISA,CRISC,CGEIT,CGAP,CGMA,CIA,CISSP,CPADeloitte&ToucheLLP,USA
Chris K. Dimitriadis, Ph.D.ISACABoardChair,2015-2017CISA,CRISC,CISMINTRALOT,Greece
Matt LoebCGEIT,CAE,FASAEChiefExecutiveOfficer,ISACA,USA
Robert E Stroud (1965-2018)ISACABoardChair,2014-2015CRISC,CGEITXebiaLabs,Inc.,USAISACA is deeply saddened by the passingof Robert E Stroud in September 2018.
© 2018 ISACA. All Rights Reserved.
15 HOW TO AUDIT GDPR
1700E.GolfRoad,Suite400
Schaumburg,IL60173,USA
Phone: +1.847.660.5505
Fax: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org
Participate in the ISACA
Knowledge Center: www.isaca.org/knowledge-center
Twitter: www.twitter.com/ISACANews
LinkedIn: www.linkd.in/ISACAOfficial
Facebook: www.facebook.com/ISACAHQ
Instagram: www.instagram.com/isacanews/
AboutISACANearingits50thyear,ISACA® (isaca.org)isaglobalassociationhelping
individualsandenterprisesachievethepositivepotentialoftechnology.
Technologypowerstoday’sworldandISACAequipsprofessionalswiththe
knowledge,credentials,educationandcommunitytoadvancetheircareers
andtransformtheirorganizations.ISACAleveragestheexpertiseofitshalf-
millionengagedprofessionalsininformationandcybersecurity,governance,
assurance,riskandinnovation,aswellasitsenterpriseperformance
subsidiary,CMMI® Institute,tohelpadvanceinnovationthroughtechnology.
ISACAhasapresenceinmorethan188countries,includingmorethan217
chaptersandofficesinboththeUnitedStatesandChina.
AboutACLACL’s purpose-built, cloud-based platform helps IT teams manage
governance over cybersecurity, privacy, regulations, risk and compliance. ACL
makes it easy to continuously analyze data, enabling robotic automation of
governance activities and visualization of patterns. And with over 30 years of
experience, built-in best practices and a professional development ecosystem,
ACL quickly helps IT managers work more efficiently, identify and mitigate
risk, reduce compliance pressures, and ensure audit and regulatory readiness.
For more information, please visit: www.acl.com.
DISCLAIMER
ISACAhasdesignedandcreatedHow to Audit GDPR (the“Work”)primarilyas
aneducationalresourceforprofessionals.ISACAmakesnoclaimthatuseof
anyoftheWorkwillassureasuccessfuloutcome.TheWorkshouldnotbe
consideredinclusiveofallproperinformation,proceduresandtestsor
exclusiveofotherinformation,proceduresandteststhatarereasonably
directedtoobtainingthesameresults.Indeterminingtheproprietyofany
specificinformation,procedureortest,professionalsshouldapplytheirown
professionaljudgmenttothespecificcircumstancespresentedbythe
particularsystemsorinformationtechnologyenvironment.
© 2018 ISACA. All Rights Reserved.
16 HOW TO AUDIT GDPR
HOW TO AUDIT GDPR
Provide Feedback: www.isaca.org/how-to-audit-GDPR
RESERVATION OF RIGHTS
© 2018 ISACA. All rights reserved.
Are you confident in
YOUR GDPR ASSURANCE PROGRAM?Implementing an effective GDPR compliance program is a significant challenge—and delivering GDPR assurance demands a change from business as usual.
You can tame the challenge. ACL is the perfect platform to help you define and execute an effective and efficient GDPR audit program.
ACL’s single, centralized platform helps you manage, audit, and report on your GDPR program and any other obligations—whilst providing continuous governance and oversight.
Get up and running fast with our industry-leading SaaS-based solution
Uncover potential data governance issues with data-driven analytics
Work with ISACA GDPR pre-loaded frameworks, compliance maps, and best practice accelerators
Automate workflows and reduce audit execution time
Demonstrate GDPR compliance with rich, real-time reporting and dashboards.
ACL’s governance technology powered by data automation can help you get there.Download your GDPR Success Kit at acl.com/ISACA-GDPR