© 2017 ISACA. All Rights Reserved.

A U D I T A N D A S S U R A N C E

H O W T OA U D I T G D P R

© 2018 ISACA. All Rights Reserved.

2 HOW TO AUDIT GDPR

C O N T E N T S

4 Introduction

5 Overview of GDPR

6 Auditing GDPR: Key Principles

6 /DataControllervs.DataProcessor

7 /Lawfulness,Accuracy,Fairnessand

Transparency

7 / Lawfulness

7 / Accuracy

8 / Fairness

9 / Transparency

10 /PurposeLimitation

10 /DataMinimization

11 /StorageLimitation

12 /Confidentiality,Integrityand

Availability

12 / Confidentiality

12 / Integrity

12 / Availability

13 /Third-PartyDataProcessors

14 Conclusion

15 Acknowledgments

A B S T R A C TTheGeneralDataProtectionRegulation(GDPR)introducesnewrulesthatgoverntheuseandmanipulationofpersonaldata.Auditorswillbeindispensableinhelpingenterprisesadheretotheserulesandmaintaincompliance.ThiswhitepaperexplorestheroleofauditwithrespecttoGDPRandoutlineshowauditscanbedeliveredinaneffectiveandefficientmanner.

© 2018 ISACA. All Rights Reserved.

3 HOW TO AUDIT GDPR

Introduction

FIGURE 1: KeyGDPRDomainsandRequirements

11 GDPRdefinespersonaldataas“anyinformationrelatingtoanidentifiedoridentifiablenaturalperson(‘datasubject’).”SeeGDPRArticle4(1).

TheGeneralDataProtectionRegulation2016/679(GDPR)

becameeffectiveon25May2018intheEuropeanUnion.

ItsupersedestheDataProtectionDirective95/46/EC.

TheDataProtectionDirective95/46/ECdifferedfromthe

newGDPRinthatitwasissuedasadirective,nota

regulation.Simplyput,underEUlaw,directivessetout

goalstobeachievedbyallmembercountries,whohave

theauthoritytodecideuponthenatureofimplementation.

Regulations,ontheotherhand,areactsofEuropean

Parliamentand,therefore,arebindinguponallmember

countriesoftheUnionandsupersedenationallaws.

BecausetheDataProtectionDirectivewas,infact,a

directive,therewasalackofconsistencyinitsapplication

acrosstheEU.GDPRseekstorectifythisbutmember

stateshavebeenallowedderogationsthathavetobe

justifiedongroundsofnationalinterest.

Historically,authoritieshavelaggedbehindrapid

advancesintechnologywhenapproachingdata

protectionregulation,particularlyinregardto

communicationstechnologiesthatcorporationsand

governmentsusetoconnectwithdatasubjects.

In1989,theconceptofuniversalaccesstoaWorldWide

Webwasessentiallysciencefiction.Overthelast30

years,dataprotectionlegislationhasdevelopedlittle

beyonditsinitialattemptstoaddresstraditional

communicationsystems,despitemonumentaladvances

inthecomplexityandscopeofdatatrafficoverthe

Internet.

GDPRgivesEUresidentscontrolovertheirpersonaldata11

whereverintheworldtheyortheirdatamayreside.Itnot

onlystandardizesregulationacrosstheEUandthe

EuropeanEconomicArea(EEA),italsoaffectsall

enterprisesthatprocessdatafromEU/EEAcountries.

Penaltiesfornoncompliancearesevere.Enforcement

authoritiescanimposefinesupto4percentofworldwide

revenueor€20million,whicheverishigher.

Figure 1 representskeydomainsandassociated

requirementsunderGDPR.

DPO

Yes DPO required

No

Data processor DPO required

Public sector DPO required

Store or process sensitive data DPO required

No DPO not required

Data breach

Response plan

Communicate within 72 hours of discovery

Impact assessment

Fix

Documentation

Document data processing activities

Privacy notices

Who you are

What you are doing with the data

Legal basis for storing and processing

Data retention periods

Right of complaint to the ICO

Internal processes

Information systems that store or process personal data

Identify

Secure

Monitor

Develop systems and allocate resources to validate and respond to subject access requests

Process for rejection

Process for response

Process for porting data

Process for amending

Process for erasure

AwarenessManagement awareness

Operations trainingData audit

What

Where

Why

Origin

Whom it is shared with

FormatLegitimacy

Legally entitled

Explicit consent (revocable)

Children

Verify age

If ‘global’ company, minimum age varies across states

New systems

Understand when to conduct a data privacy impact assessment (DPIA - Article 35)

Implement security by design Global companySelect lead supervisory authority

Notify local supervisory body

GDPR

© 2018 ISACA. All Rights Reserved.

4 HOW TO AUDIT GDPR

Overview of GDPR

22 TheArticle29WorkingPartyincludedrepresentativesfromthedataprotectionauthorityofeachEUmemberstate,theEuropeanDataProtectionSupervisorandtheEuropeanCommission.On25May2018,itwasreplacedbytheEuropeanDataProtectionBoard,underGDPR.

33 Goodwin,T.;“TheBattleIsForTheCustomerInterface,”TechCrunch,3March2015,https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-the-battle-is-all-for-the-customer-interface/

Today,searchandsocialmediatitanslikeGoogleand

Facebookexemplifytheubiquityandaccessibilityof

personaldata.Toaddressthisvastcapacityforacquiring,

storingandtransmittingpersonaldataacrosscountless

enterprisesandgovernmentsalike,GDPRadvancesnew

rulesthatlimittheuseandprocessingofpersonaldata

regardlesswheretheactivitiesareconducted.Auditors

arecriticalresourcesinhelpingenterprisesachieveand

maintaincompliance.BecauseGDPRisanew,complex

andcomprehensiveregulationthatimpactsmultiple

functionalareaswithinanenterprise,auditorswillhave

manyquestionsandfacenewchallengeswhenexecuting

theirduties.Thispaperanticipatesissueslikelytoarise

underGDPR,andanswersquestionsthatauditorshave

nothistoricallyfacedwhenconductingengagements.

GDPRunifiesdataprivacylawsacrosstheEuropean Union,givesindividualscontrolovertheirpersonaldata andprotectstheirprivacy.ItextendsthescopeofEUdata protectionlawtoallinternationalenterprisesprocessing thedataofEUcitizens,wherevercitizensmayreside.

Traditionally,dataprotectioninvolvedarelativelysimple

setofrulesthatenterprisesfollowedinmanaging

personaldata.Auditorsdevelopedasuiteofaudit

programstovalidatecompliancewithpersonaldatalaws,

regulationsandinternalpolicies.

GDPRlooksatalldatafromtheperspectiveofthedata

subjector“naturalperson,”pertheterminologyofthe

regulation.Thisshiftinregulatoryperspectiveimplicitly

challengesacorporateethosofself-interestthathas

traditionallyconsideredcorporateneedsfirstandthe

rightsofdatasubjectssecond.

Accordingly,GDPRforcesauditorstochangetheir

approachtopersonaldataandtheirprotectioninan

enterprise.

UntilcourtrulingsbegintointerpretandapplyGDPR,and

ultimatelyyieldacriticalmassofcaselawtoinform

auditingnormsinactualpractice,auditorsandotherswill

perhapsnothavecompleteclarityonthesetofvalidation

rules.Intheinterveningperiod,auditorsshouldconsider

lookingatGDPRinthewaythatWorkingParty2922 ofthe

EuropeanCommissionintended:asaholisticapproachto

protectingcitizens’personaldata,withtheinterestsofthe

individualatitscore.GDPRdevelopsthepremiseof

individualdatasubjectsbeingtheownersoftheirpersonal

dataandconferringrightsandresponsibilitiesonthose

withwhomthedataareshared.AsGDPRprinciples

becomeembeddedincorporateprocessesitcouldbe

saidthatfocusingontherightsofthedatasubjectnow

displaces,orperhapsreplaces,corporateself-interest.

Manyreadersmayquestiontheconceptofownershipin

theageofbigdata.

Inthelongerterm,whethertheconceptofownershipis

compatiblewiththegrowthinthedigitaleconomy,

governmentsandcorporatesshareinformationinhuge

quantitiesandatanincreasinglygranularlevel.Itisused

forsecurity,commerceandbypoliticalparties.Inmany

casesitisusedtomodelhumanbehavioratanindividual

orcollectivelevel.Forexample,recently,TechCrunch,a

digitaleconomynewssite,noted,“Uber,theworld’slargest

taxicompany,ownsnovehicles.Facebook,theworld’s

mostpopularmediaowner,createsnocontent.Alibaba,

theworld’smostvaluableretailer,hasnoinventory.And

Airbnb,theworld’slargestaccommodationprovider,owns

norealestate….Somethinginterestingishappening.”33

© 2018 ISACA. All Rights Reserved.

5 HOW TO AUDIT GDPR

Auditing GDPR: Key Principles

Thisareaofownershipvs.stateandcorporateneedwill

likelyleadtoorganizationspushingtheenvelope,which

couldleadtosomeinterestinglegalchallengesinthe

yearstocome.Butinthemeantime,auditorswillneedto

bemindfulofprofilingandconstructauditprogramsto

provideassurancethatthisareaofriskisaddressed

accordingly.

AuditingGDPRisaboutassessingthecontrolsputin

placetorespondtorisk;itshouldconsiderthetrioofrisk

(figure 2)acrossallfacetsofanenterprise:

People•

Processes•

Technology•

ProcessesPeople

Technology

Processes

Technology

Information Risk

ThiswhitepaperplaceseachofthesixprinciplesofGDPR

intoanauditperspective.Whileitdoesnotcoverallthe

elementsandnuancesoftheregulation,itdoesidentify

whereGDPRcanbeconsideredwithinanauditthatis

alreadyintheenterprise’sstrategicauditplan.Italso

suggestswhereadditionalauditsspecifictoaspectsof

GDPRshouldbedevelopedandaddedtotheoverall

enterpriseauditplan.

GDPRArticle5(2)states,“Thecontrollershallbe

responsiblefor,andbeabletodemonstratecompliance”

withGDPRbyensuringthatpersonaldataareprocessed

inaccordancewiththefollowingsixprinciples:

1 Lawfulness,fairnessandtransparency

2 Purposelimitations

3 Dataminimization

4 Accuracy

5 Storagelimitations

6 Integrity and confidentiality

Each of the above principles is explored in more detaillater in thispaper.

Data Controller vs. DataProcessorUnderGDPR,adatacontrolleris“thenaturalorlegal

person,publicauthority,agencyorotherbodywhichalone

orjointlywithothers,determines thepurposesandmeans

oftheprocessingofpersonaldata.”Thisisnottobe

confusedwithadataprocessorwho,underGDPR,isa

“naturalorlegalperson,publicauthority,agencyorother

bodywhichprocessespersonaldataon behalf ofthe

controller.”

Inotherwords,adataprocessoractsonlyonthe

instructionofadatacontroller.

Bymakingthedatacontrollerresponsible,he/sheisalso

accountable,andthissometimesfindsitselfincorrectly

referredtoastheseventhprinciple.Inreality,thecontroller

isaccountable forensuringcompliancewiththesixkey

principlesreferredtopreviously.Auditorsareconcerned

withvalidatingthelevelofcompliance.

© 2018 ISACA. All Rights Reserved.

6 HOW TO AUDIT GDPR

FIGURE 2: InformationRisk

FIGURE 3: LawfulnessMappedtoDataSubject’sRights

Lawfulness, Accuracy, Fairnessand TransparencyGDPRArticle5states,“[D]ata shall be…processed lawfully,

fairly and in a transparent manner inrelationtothedata

subject”(emphasisadded)whichisalsoreferredtoin

Articles12,13and14andRecitals95/46.

LawfulnessDependingonthelawfulbasisforcollectingdataunder

GDPR,thedatasubjecthasvariousrights.Infigure 3,

eachbasisoutlinedinGDPRisconnectedtothe

respectiverightsofthedatasubject.Auditorsmust

ensurethatenterpriseshavethesystemsandprocesses

inplacetoensurethattheserightsarenotbreached.

Lawfulness - Article 5 Public task

Vital interestContract

ConsentLegitimate interest

Legal obligation

Right to erasure

Right to portability

Right to withdraw consent

Right to erasure

Right to portability

Right to erasure

Right to object

Right to erasure

Right to object

GuidanceissuedbyWorkingParty29suggeststhat

enterprisesshouldundertakeadataaudittoascertain

whatdatatheyhold,wherethedataarestored,howthe

dataareprocessedandwithwhomthedataareshared.

TheWorkingPartyalsorequiresthatorganizations

implementsystemstofacilitatemaintenanceandretrieval

ofpersonaldata,andtheseshouldbecapableofbeing

demonstratedtothenationalsupervisorybody(suchas

theInformationCommissioner’sOffice[ICO]intheUK)

uponrequest.

GDPRrequiresthatenterprisesunderstandthebasisupon

whichtheyarecollectingandusingdataandthatthey

communicatethisinformationtothedatasubject,who

hasrightsthatmustbeprotected.Theregulationrequires

thatalltheenterprise’sprocessesrelatingtopersonaldata

beevidenced.Thisevidencemaytaketheformof

maintaining“recordsofprocessing,”which,ataverybasic

level,formaninventoryofwhatdataareprocessedon

whichsystems,wheretheyarestoredandwithwhomthey

areshared.Thisshouldprovidethenecessarysummary

ofprocessesfromwhichtheauditorcanwork.

AccuracyGDPRArticle5alsostates,“Personaldatashallbe…

accurate,and,wherenecessary,keptuptodate;every

reasonablestepmustbetakentoensurethatpersonal

datathatareinaccurate…areerasedorrectifiedwithout

delay….”Thechallengefacingtheauditoralignswiththat

ofthedecisionmaker;enterpriseshaveconsistently

soughttocomplicateanddevaluedatabyreplication.

Eachdatastreammayhavebeenreplicatedbyvarious

departmentsandindividualsfordifferentuses.Auditors

mustrecognizetheriskposedbyshadowITand

unstructureddata.

Afailuretocompletethedatadiscoveryexerciseto identifywhatinformationtheenterpriseretrieves,and processesregularlywillrepresentakeyauditrisk. Auditorsshouldseektoassessthecompletenessofthe datadiscoveryexerciseandtheactionsthatfollowed.

Figure 4 shows the records of processing for each business function.

© 2018 ISACA. All Rights Reserved.

7 HOW TO AUDIT GDPR

Business function

Link to data protection impact assessment

Consent

Source of personal data(if applicable)

Link to record of legitimate interests assessment (if applicable)

Legitimate interests for the processing (if applicable)

General description of technical and organizational security measures (if possible)

Retention schedule (if possible)

Categories of recipients

Link to contract with processor

Categories of personal data

Safeguards for exceptional transfers of personal data to third countries or international organizations (if applicable)

Categories of individuals

Names of third countries or international organizations that personal data are transferred to (if applicable)

Article 9 basis for processing special category data

Article 6 lawful basis for processing personal data

Existence of automated decisionmaking, including profiling(if applicable)

Rights available to individuals

Data protection impact assessmentAccess request

Special category or criminal conviction and offense data

Article 30 records of processing

Purpose of processing

Privacy notice

Link to record of consent

Location of personal data

DPIA progress

Link to DPIA

Therecordsofprocessingshouldlinkwiththeinformation

assetregisterandthedataauditshouldbeusedtocreate

orupdatetheinformationassetregister.

GDPRdoesnotdefinetherecordsofprocessing.Instead,

thejudgmentofeachenterpriseinconjunctionwith

guidancefromtherelevantsupervisoryauthorityisused

todeterminetheappropriaterecords.Ataminimum,the

followingfieldsarerecommendedforuseinan

informationassetregister:

Collectiondate•

Basis•

Purpose•

Deletiondate/retentionperiod•

System(s)•

Sharing—who/what/when/EU-stored?•

Formanyorganizationsandtheirauditors,thefirsthurdle

willbetoaccuratelyidentifywhatdatatheenterprise

holds,thentoascertainhowmanyversionsofthosedata

arestoredandwhereeachversionisstored.Thesecond

hurdlewillbetodeterminewhetheranyofthedatastores

reflectthesingleversionofthetruththatisaccurate,

completeandcurrent.

Auditorsshould:

Reviewtheprocessundertakenbythebusinesstolocateand•

cleansethedata

Reviewtherulesthatareputinplacetominimizetheinstance•

ofshadowITsystemsandmanageunstructureddata

Assessdataqualityannually(ataminimum).Thestrategic•

auditplanshouldcoverdataquality.Traditionally,dataquality

auditshavefocusedoncorporatedata;withGDPR,theseaudits

nowneedtocoverpersonaldata.Itcouldbesuggestedthat,

fromtheregulators’perspective,GDPRnowdisplaces,or

perhapsreplaces,corporateself-interestwiththatofthedata

subject.

FairnessIntermsofGDPR,itcanbesaidthatfairnessisachieved

whenthedatacontrollerhasputinplaceworking

proceduresfordatasubjectstoexercisetheirlegalrights

withouthindrance.

Theserightsinclude:

Rightofaccesstothedata(toknowwhatdataareheldabout1

theindividual)

Righttorectificationofthedata2

© 2018 ISACA. All Rights Reserved.

8 HOW TO AUDIT GDPR

FIGURE 4: DataAudit—RecordsofProcessingforEachBusinessFunction

Has a personal data breach occurred?

Data breachLink to record of personal data breach

Data breach notification Supervisory authority

Data subject(s)

Righttoerasureofthedata(righttobeforgotten)3

Righttorestrictionofprocessing4

Righttodataportability(tobegivenpersonaldataina5

structuredandcommonlyusedandmachine-readableformat

andtransmitsuchdatatoanothercontroller)

Righttoobjecttotheprocessingofpersonaldata,including6

profiling

Rightnottobesubjecttoadecisionbasedsolelyonautomated7

processing,includingprofiling,wheresuchprocessingmayhave

legalramificationsorsignificantlyaffecttherightsofthedata

subject

Theserightsareexercisedthroughasubjectaccess

request(SAR).WhileSARshavebeencommoninthe

UnitedKingdomforanumberofyears,albeitnotinhigh

volumesandpredominantlyrelatingtoemployment

issues,GDPRintroducesgreaterrigor.Theorganization’s

responsemustmeetrequirementsfortimescalesand

informationprovided.

A GDPR SAR audit will be an audit of processes and the

design and effective implementation of controls (figure 5).

FIGURE 5: SubjectAccessRequest(SAR)Path

Eachprocessbeginswitharequest,goesthrough

validationandresultsinaresponse.Auditorsare

interestedinevaluatingtheappropriatenessofthe

processandtestingitseffectivenessandtheconsistency

ofitsapplication.

Newapplicationsmayhaveaccessrequestpoliciesbuilt

in,butauditorsshouldascertainwhetherthese

applicationshavebeencorrectlyconfiguredandexamine

howtheyinterfacewithaSARsystemthatmayhavebeen

procuredorcreatedtomanagethisprocess.

Anareathatmayconcernmanyorganizationsisbackup

andrecovery.Thebackupindustryhasbeenpromoting

image-basedbackupsfordisasterrecovery,butthese

createchallengesinrelationtoGDPR,whereafullrestore

isrequired.Enterprisesmustputprocessesinplaceto

dealwithreapplicationofdatachangesundertherightto

beforgottenandrighttorectificationinthese

circumstances.

Auditorsshouldvalidatethatthesystemscreatedto

ensurethatpersonaldatathathavebeenputoutofreach

asaresultofaSARkeepthosedataoutofreachinthe

eventofafullrestorefrombackup.

TransparencyGDPRArticle12requiresthatanyinformationthedata

controller(enterprise)givestothedatasubject(individual)

aboutitsdataprocessingpracticesmustbeconcise,

transparent,intelligibleandineasilyaccessibleform,and

mustbeprovidedinwritingwithinonemonth,atthe

latest.

GDPRdoesnotgiveadefinitionofamonthbutRecital59

states,“Thecontrollershouldbeobligedtorespondto

requestsfromthedatasubjectwithoutunduedelayand

atthelatestwithinonemonthandtogivereasonswhere

thecontrollerdoesnotintendtocomplywithanysuch

requests.”Itdoesnotsuggestaspecificnumberofdays,

sothisisopentoorganizationstointerpret.Whetheran

organizationdefinesaspecificnumberofdaysorrefersto

acalendarmonthappearstobewithinitsauthority;

however,whateverthechoice,itshouldbedocumented

andconsistentlyapplied.

GDPRalsodoesnotexpandonwhentheclockstarts

tickingintermsofrespondingtoaSAR.However,onthe

basisthatprovidingpersonaldatatothewrongdata

subjectwouldconstituteadatabreach,itisreasonableto

assumethatanorganizationshouldundertakechecksto

validatetheauthenticityofaSARbeforeissuinga

response.Itisthenalsoreasonabletoassumethat,once

theidentityofthedatasubjecthasbeenconfirmed,the

clockstarts.

InadditiontoauditorsreviewingandvalidatingtheSAR

responselog,theyalsoneedtoconsiderwhetherthe

informationprovidedisindeedconcise,complete,

accurateandeasilyunderstandable.Ifthisisnotthecase,

thentheorganizationshouldlookatthereasonswhyand

amendaccordingly.

Request Validation Response

© 2018 ISACA. All Rights Reserved.

9 HOW TO AUDIT GDPR

44 DataGuidance,France: CNIL’s notice to DIRECT ENERGIE on collection of smart meter data “indication of likely approach of DPAs post-GDPR,” 29March2018,https://www.dataguidance.com/france-cnil-notice-direct-energie-collection-smart-meters-data-indication-likely-approach-dpas-post-gdpr/

Purpose LimitationArticle5alsostates,“Personaldata…shallbecollectedfor

specified,explicitandlegitimatepurposesandnotfurther

processedinamannerthatisincompatiblewiththose

purposes.”

Datacollectedforonepurposecannotberepurposed withoutfurtherconsent.Auditorsneedtounderstandthat the purposelimitationinGDPRisverynarrow.Thisnarrow interpretationwasunderlinedinarecentrulinginFrance regardingDirectEnergie.Thisruling maybe

viewedasasignofthingstocomeunderGDPR.

Inthiscase,CNIL(Commissionnationalede

l’informatiqueetdeslibertés)board,whichenforceslaw

ondataprotectioninFrance,issuedaformalnoticeto

DirectEnergieforfailingtoobtainconsentforthe

collectionofcustomerusagedatafromitsLinkysmart

meters,andorderedittocollectvalidconsentforthe

processing.

CNILobservedthatatthetimeoftheinstallationofthe

Linkymeter,customerswereaskedtoprovideasingle

consentfortheinstallationofthemeterandforthe

collectionofhourlyelectricityconsumptiondataasa

corollaryoftheactivationofthemeterandinorderto

benefitfromcertaintariffs;however,astheinstallation

wasmandatory,customerswereinfactonlyconsenting

tothedatacollection.Therefore,CNILdeterminedthat

consentobtainedinsuchawaybyDirectEnergiewas

invalid,asitcouldnotbeconsideredfree,informedand

specific.Inaddition,furthershortcomingswerefoundin

relationtothecollectionofdailyconsumptiondatafrom

thedistributionnetworkoperator,whichtookplace

withoutrequestingcustomers’consent.44

Forcompaniesandtheirauditors,thisislikelytobea

trickyareaandonethatwillseemuchactivityinthe

courts.Auditorsshouldbeinterestedinthesystemsthat

havebeenputinplacetovalidatethepurpose,especially

whereconsentisthebasis.Eachenterpriseshouldknow

whyitiscollectingdata,whatthedataareusedforand

whethertheirusecompliestothestatedprocessing

purpose.Thesimplestapproachistocreateascheduleof

usesofpersonaldataandlinkthisscheduletothe

personaldatastored.Auditorsshouldexpectthatrecords

areflaggedwithareferencetoadefinedpurposethatwill

inturndefinethebasis.Auditorsshouldalsoexpecttosee

evidenceofvalidationandalinktoarecordsretentionand

deletionpolicy.

Data MinimizationArticle5states,“Personaldata…shallbeadequate,

relevantandlimitedtowhatisnecessaryinrelationtothe

purposesforwhichtheyareprocessed.”

Processingshoulduseonlythedataspecificallyrequired

toaccomplishagiventask.Thus,tocomplywithGDPR,

enterprisesmustimplementdataminimizationrulesand

processesateverystepofthedatalifecycle.

Enterprisesmustlimitpersonaldatacollection,storage

andusagetowhatisrelevantandnecessaryfor

processing.Anewtrendshouldemerge—lessismore—

andenterprisesshouldnotcollectandstorepersonaldata

justincasetheymightbecomeusefulinthefuture.

Thekeyconsiderationisthatonlytheminimumdatafora

definedpurposearecollectedandstored.Forexample,

employerswhocollectsensitivemedicaldataabouttheir

employeeswillhavetoconsiderthereasonswhytheydo

so.Forexample,thequestioncanberaisedastowhether

thedataarerelevantifanindividual:

Hadahospitalstaythreeyearsagotohaveawisdomtooth1

removed

Suffersfromepilepsy2

Thefirstmaynotberelevant,butthesecondcouldbe

relevantwithregardtosafeguardingtreatmentofpatients

inthefuture.Eachindividualscenarioneedstobe

consideredonitsownmerits.

© 2018 ISACA. All Rights Reserved.

10 HOW TO AUDIT GDPR

Thekeyfortheauditoristoassesstheprocessesand

associatedrulesthathavebeenestablishedtovalidate

thedatacollected.

Anenterpriseshouldbeabletocreateasetofpurposes

thataregovernedbyauditablerulesandassignthese

rulestoeachdatasource.

Storage LimitationGDPRArticle5states:

Personal data shall be kept in a form which permits

identification of data subjects for no longer than

necessary for the processing purposes; personal

data may be stored for longer periods insofar as the

personal data will be processed solely for archiving

purposes in the public interest, scientific or

historical research purposes or statistical purposes.

Thekeyphrasetoconsiderhereis“permitsidentification.”

Auditorsshouldconcludefromthisthatsolongasthe

systemsandprocessesworktoanonymizethedataata

givenpointintimethenitisacceptabletokeepandutilize

thedataformodeling.InthecontextofGDPR,the

systemsandprocessesthathavebeenputinplacemust

prevent:

Singling out—Isitpossibletoisolatesomeoneinparticular•

throughthedata?

Linkage—Isitpossibletolinkatleasttworecordsconcerning•

thesamedatasubject?

Inference—Isitpossibletodeduceinformationaboutone•

person?

Oncedataareanonymized,GDPRnolongerapplies,but

whendataaretrulyanonymizedtheyareconsideredby

sometohavelostmuchoftheirvalue.

Onesolutiontothisispseudonymizationthatinvolves

replacingpersonallyidentifiabledatawithinadatarecord

withartificialidentifiers,orpseudonyms.Thepseudonyms

makethedatarecordsunidentifiablewhentheyare

shared,butthedatacanberestoredtotheiroriginalstate

eventually,allowingindividualstobereidentified.This

whitepaperdoesnotexplorethisconcepttoanygreat

lengthexcepttosaythatpseudonymizationmay

significantlyreducetheriskassociatedwithdata

processing,whilealsomaintainingthedata’svalue.

Auditorsshouldbeconcernedwithvalidatingthese

processesandtheirconsistentapplication.Auditors

shouldapproachwithcautionandconsiderretentionfirst

andforemostintermsofotherlegislationandregulation

beforeGDPRandtheenterprise’sneeds.GDPRonly

replacesexistingdataprotectionlegislationanddoesnot

overwriteotherexistinglegislationsuchasthatrelatingto

recordretention(e.g.,fortaxpurposes).

Anenterpriseshouldbuildintoitsrecordsretentionand

deletionpolicies(bothmanualandelectronic)therules

thatensurecompliancewithlegislationandregulation.

Auditorsarefamiliarwitharecordsretentionreviewin

thatitcovers:

Allmanualandelectronicdata,includingemails•

Industryorsectorstandardsand/orbestpracticewhere•

retentionissubjecttospecificrequirements

Thesystemsandtechnologies,inturn,supportbasic

internalandexternalcompliancerequirements.For

example,they:

Providewaystotrackandauditretentionmanagement•

Automateandenforcerecordsdestructionpolicies•

Enforcesecurityrequirementssuchasaccesscontroland•

tracking

Recordandauditforphysicalandelectronicrecords,and•

securityformodificationanddeletionrightswithtracking

Whereelectronicdatarecordingsystemsareusedand

offerfacilitiesallowingretentionperiodstobeset,the

auditorshouldconfirmthatthefacilitiesarebeingused

andtheconfiguredretentiondatesconformtothepolicy’s

datareviewrequirements.Inaddition,itisincumbenton

theauditortoensuretheproceduresarenotonlyfollowed

butadequate.Istheactualdestructionofpersonaldata

properlycarriedoutinaccordancewiththeenterprise’s

policy?DoestheenterprisedisposeofITsoftwareand

hardwareinamannerthatfullyconformstothe

enterprise’spolicy?

© 2018 ISACA. All Rights Reserved.

11 HOW TO AUDIT GDPR

EnterprisescaneasilyfailtocomplywithGDPRbyfailing

tosafeguardpersonaldataupondisposalofhardware

andsoftware.Differentcountrieshavetheirown

standardsfordisposalofdataassets;forexample,many

countrieshaveenactedoradoptedwastedelectricaland

electronicequipment(WEEE)lawsandregulations.

Thebusinessriskrelatedtoassetdisposalcanbe

substantialandfallsintotwomaincategories:

Data destruction—GDPRrequiresthatdatamustbeirretrievably1

destroyedpriortoITequipmentdisposal.

Asset disposal—TherevisedWEEEUKassetdisposallegislation2

mandatesthatbusinessesmustdisposeoftheirredundantIT

equipmentaccordingtostringentgovernmentdisposal

standards,havingalreadydestroyedthedatausingexacting

approvedmethodologies.

Confidentiality, Integrity andAvailabilityAnotherprinciplecontainedinArticle5concernsthe

integrityandconfidentialityofpersonaldata.This

principlecanbesummarizedasfollows:Personaldata

mustbeprocessedusingappropriatetechnicaland

organizationalsecuritymeasures,includingprotection

againstunauthorizedorunlawfulprocessingandagainst

accidentalloss,destructionordamage.

Auditorsandsecurityprofessionalsarefamiliarwiththis

area—therequirementsandbenefitsofkeepingdatasafe

andaccessibleandmaintainingtheirintegrity.But,this

has,forthemostpart,beenrestrictedtobusiness

sensitivedataandintellectualproperty(IP),withlittleor

nofocusonpersonaldata(unless,ofcourse,thebusiness

isinpersonaldata,suchashealthcare).

Auditorsareawareofthethreefundamentalprinciples

underpinninginformationsecurity:confidentiality,integrity

andavailability(CIA),knownas“theCIAtriad,”aconcept

developedmanyyearsago.Theinterestingthingfroma

GDPRperspectiveisthattheregulationappearstobe

fromthisconcept.

ConfidentialityInthecontextofGDPR,confidentialityisaboutprivacy.

Thepurposeofthisprincipleistoensurethatdataare

accessibleonlytopeoplewhoareauthorizedtoaccessit.

Forexample,apatient’smedicalhistoryissomethingthe

patientnormallywantskeptprivate,soonlyafewpeople,

suchasadoctortreatingthepatient,shouldhaveaccess

toit.

IntegrityGDPRrequiresdatatobeaccurateanduptodate.

Enterprisesshouldavoidmakingmultiplecopiesofthe

datawherepossibleandshouldalsobewaryofenriching

thedatainawaythatextendsbeyondthestatedpurpose

ofthedata’scollectionandprocessing.Therequirement

thatthecontrollershouldbeabletodemonstratethatthe

purposehasnotbeenextendedaddsanextrafacettothe

CIAtriad,inwhichintegrityreferstotheaccuracyandthe

reliabilityofdataorinformationinthesystembutdoes

notconsidertheoriginalpurposeforwhichitwas

collected.

AvailabilityInthecontextofGDPR,availabilitymeansexactlywhatit

doesinasecuritycontext:Itisavailabletoauthorized

individualswhenrequired.But,inGDPR,availabilityalso

referstoaccessibilityofdatasubjectstothedataand

informationheldaboutthem.

In the GDPR context, an organization will be judged as having a flawed process for dealing with SARs if it fails to provide a complete and accurate data set within the defined response time of one month.

Aswithconfidentialityandintegrity,interruptionsin

availabilitycanhappenwithoutanyintentionofdoing

harm.Forexample,acloud-basedservicecanexperience

technicaloutagesthatimpacttheavailabilityof

informationsystemsusingaplatform.Otherconcerns

canincludepoweroutagesandnaturaldisasters.So,from

aGDPRperspective,whatcontrolsareinplacetoprovide

resilience?

© 2018 ISACA. All Rights Reserved.

12 HOW TO AUDIT GDPR

ISACAhasproducedapublicationtitledInformation

Security Management Audit/Assurance Program,55 whichisagoodbasisforundertakinganISMauditandcaneasily

beextendedtoencompasspersonaldata.Thescopeof

theprogramisextensivebut,forGDPRneeds,theauditor

shouldfocusonpersonaldataandinformation:

Informationsecuritymanagement—Processesassociatedwith•

governance,policy,monitoring,incidentmanagementand

managementoftheinformationsecurityfunction

Informationsecurityoperationsmanagement—Processes•

associatedwiththeimplementationofsecurityconfigurations

Informationsecuritytechnologymanagement—Processes•

associatedwiththeselectionandmaintenanceofsecurity

technologies

Inadditiontothesetopicsjustlisted,itwillalsobe

necessarytoundertakethefollowingdiscreteauditsto

supporttheassuranceopinion:

Identityandaccessmanagement•

Securityincidentmanagement•

Networkperimetersecurity•

Systemsdevelopment•

Projectmanagement•

ITriskmanagement•

Asset/Datamanagement•

Vulnerabilitymanagement•

Third-Party Data ProcessorsUnderGDPRArticle28,controllersmayappointonlythose

processorswhocanprovide“sufficientguarantees”to

meettherequirementsofGDPR.Processorsmustact

onlyonthedocumentedinstructionsofthecontroller,and

theycanbehelddirectlyresponsiblefornoncompliance

withGDPRobligationsorthecontroller’sinstructions.In

theseinstances,processorsmaybesubjectto

administrativefinesorothersanctionsandliabletopay

compensationtodatasubjects.

WhatdoesArticle28meaninpracticeforthedata

controller?Datacontrollersareresponsiblefor:

Knowingwhothedataprocessorsare•

Knowingwhatinformation,theenterpriseissharingwiththem•

Knowinghowtheyareprotectingit•

ConsideringhowGDPRcanbeusedtomanageriskand•

complianceinthesupplychain

Auditorsneedtosatisfythemselvesthatthecontracts

registerismaintained,completeanduptodateand

containsarobustapproachtoadditionsanddeletions.

Auditorsshouldexpecttoseethatasupplierrisk

assessmenthasbeencompletedthatservestorankeach

supplierintermsofdatarisk.Ifthereisanydoubt,the

auditorshouldselectasampleandaskthevendorto

completeaGDPRcomplianceanddatasecurity

questionnaire.

Notallthird-partydataprocessorswillprocesspersonal

data.Theauditorshouldensurethatprocessorsof

personaldataareflaggedinthecontractsregister.The

registershoulddocumentthedatacategory,recordthe

processingactivitiesundertakenandlinktotherecordsof

processingsystem.Becausebreachnotificationisa

criticalriskarea,theauditorshouldmakesureittoois

coveredinthecontractsregister.

Auditorswhorelyoncompliancewithinternational

standardssuchasInternationalOrganizationfor

Standardization(ISO)/InternationalElectrotechnical

Commission(IEC)27001orattestationsshouldensure

thatthescopeisappropriate,thecertificationisuptodate

andthecertifyingbodyisaccredited.Inaddition,relative

toaserviceauditor’sreport,itisadvisabletoconfirmthat

theauthorhastheappropriateskillsandthereport’s

scopeissufficientinthatitcoverstheareasofthe

organizationthatpertaintotheserviceprovision.Itisalso

wisetocheckthattheperiodcoveredbythereportis

withinthepast12months.

Theauditorshouldalsoasktoinspectthethirdparties’ GDPRframeworkpolicytoensurethat,ataminimum,it

includes:

ITsecuritypolicy•

Recordsmanagementpolicy•

Businesscontinuitymanagementanddisasterrecovery•

© 2018 ISACA. All Rights Reserved.

13 HOW TO AUDIT GDPR

Breachresponseplan

Privacypolicy

•

•

55 ISACA,Information Security Management Audit/Assurance Program,2010,www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx

ConclusionGDPRdoesnotreflectawholenewphilosophyregarding

auditingpersonaldata.Rather,itbuildsuponthebasic

applicationofgoodinformationgovernancepractices,

albeitwithagreateremphasisontransparencythanan

auditormighthavepreviouslyencountered.

ProvidingauditassuranceonGDPRisnotaone-off

process;theregulationrequiresauditorstoconsider

personaldatathroughouttheenterprise’sannualaudit

plan.WhilesomemightarguethatprocessingaSARis

relativelynew,othersmightcounterbysayingthatthe

SARisjustanotherelementofmanagement

information/reportingand,assuch,needstobeaccurate,

conciseandtimely.Thedistinctionisthattherecipient

happenstobeamemberofthepublicratherthana

memberoftheboardoraregulatorybody.

Auditorswillbebetterservednottothinkintermsof

GDPRbutratherofdataandtheapplicationoftherules.

© 2018 ISACA. All Rights Reserved.

14 HOW TO AUDIT GDPR

Acknowledgments

Lead DeveloperSteven ConnorsFFA,FFTA,FIPAITPartner,UnitedKingdom

Expert ReviewersGraham CarterCorporateISRiskandComplianceManager,UnitedKingdom

Jo Stewart-RattrayCISA,CRISC,CISM,CGEIT,FACSCPDirectorofInformationSecurityandITAssurance,Australia

Laszlo DelleiCCISO,ITILPartner,Budapest

Scott RosenmeierCISSP,ISSAP,ISSMPSeniorInformationSecurityManager,Germany

Michael J. PodemskiCIPM,CIPTSeniorManager,AdvisoryServices,USA

ISACA Board of DirectorsRob Clyde, ChairCISMClydeConsultingLLC,USA

Brennan Baybeck, Vice-ChairCISA,CRISC,CISM,CISSPOracleCorporation,USA

Tracey DedrickFormerChiefRiskOfficerwithHudsonCityBancorp,USA

Leonard OngCISA,CRISC,CISM,CGEIT,COBIT5ImplementerandAssessor,CFE,CIPM,CIPT,CISSP,CITBCM,CPP,CSSLP,GCFA,GCIA,GCIH,GSNA,ISSMP-ISSAP,PMPMerck&Co.,Inc.,Singapore

R.V. RaghuCISA,CRISCVersatilistConsultingIndiaPvt.Ltd.,India

Gabriela ReynagaCISA,CRISC,COBIT5Foundation,GRCPHolisticsGRC,Mexico

Gregory TouhillCISM,CISSPCyxteraFederalGroup,USA

Ted WolffCISAVanguard,Inc.,USA

Tichaona ZororoCISA,CRISC,CISM,CGEIT,COBIT5Assessor,CIA,CRMAEGIT|EnterpriseGovernanceofIT,SouthAfrica

Theresa GrafenstineISACABoardChair,2017-2018CISA,CRISC,CGEIT,CGAP,CGMA,CIA,CISSP,CPADeloitte&ToucheLLP,USA

Chris K. Dimitriadis, Ph.D.ISACABoardChair,2015-2017CISA,CRISC,CISMINTRALOT,Greece

Matt LoebCGEIT,CAE,FASAEChiefExecutiveOfficer,ISACA,USA

Robert E Stroud (1965-2018)ISACABoardChair,2014-2015CRISC,CGEITXebiaLabs,Inc.,USAISACA is deeply saddened by the passingof Robert E Stroud in September 2018.

© 2018 ISACA. All Rights Reserved.

15 HOW TO AUDIT GDPR

1700E.GolfRoad,Suite400

Schaumburg,IL60173,USA

Phone: +1.847.660.5505

Fax: +1.847.253.1755

Support: support.isaca.org

Website: www.isaca.org

Participate in the ISACA

Knowledge Center: www.isaca.org/knowledge-center

Twitter: www.twitter.com/ISACANews

LinkedIn: www.linkd.in/ISACAOfficial

Facebook: www.facebook.com/ISACAHQ

Instagram: www.instagram.com/isacanews/

AboutISACANearingits50thyear,ISACA® (isaca.org)isaglobalassociationhelping

individualsandenterprisesachievethepositivepotentialoftechnology.

Technologypowerstoday’sworldandISACAequipsprofessionalswiththe

knowledge,credentials,educationandcommunitytoadvancetheircareers

andtransformtheirorganizations.ISACAleveragestheexpertiseofitshalf-

millionengagedprofessionalsininformationandcybersecurity,governance,

assurance,riskandinnovation,aswellasitsenterpriseperformance

subsidiary,CMMI® Institute,tohelpadvanceinnovationthroughtechnology.

ISACAhasapresenceinmorethan188countries,includingmorethan217

chaptersandofficesinboththeUnitedStatesandChina.

AboutACLACL’s purpose-built, cloud-based platform helps IT teams manage

governance over cybersecurity, privacy, regulations, risk and compliance. ACL

makes it easy to continuously analyze data, enabling robotic automation of

governance activities and visualization of patterns. And with over 30 years of

experience, built-in best practices and a professional development ecosystem,

ACL quickly helps IT managers work more efficiently, identify and mitigate

risk, reduce compliance pressures, and ensure audit and regulatory readiness.

For more information, please visit: www.acl.com.

DISCLAIMER

ISACAhasdesignedandcreatedHow to Audit GDPR (the“Work”)primarilyas

aneducationalresourceforprofessionals.ISACAmakesnoclaimthatuseof

anyoftheWorkwillassureasuccessfuloutcome.TheWorkshouldnotbe

consideredinclusiveofallproperinformation,proceduresandtestsor

exclusiveofotherinformation,proceduresandteststhatarereasonably

directedtoobtainingthesameresults.Indeterminingtheproprietyofany

specificinformation,procedureortest,professionalsshouldapplytheirown

professionaljudgmenttothespecificcircumstancespresentedbythe

particularsystemsorinformationtechnologyenvironment.

© 2018 ISACA. All Rights Reserved.

16 HOW TO AUDIT GDPR

HOW TO AUDIT GDPR

Provide Feedback: www.isaca.org/how-to-audit-GDPR

RESERVATION OF RIGHTS

© 2018 ISACA. All rights reserved.

Are you confident in

YOUR GDPR ASSURANCE PROGRAM?Implementing an effective GDPR compliance program is a significant challenge—and delivering GDPR assurance demands a change from business as usual.

You can tame the challenge. ACL is the perfect platform to help you define and execute an effective and efficient GDPR audit program.

ACL’s single, centralized platform helps you manage, audit, and report on your GDPR program and any other obligations—whilst providing continuous governance and oversight.

Get up and running fast with our industry-leading SaaS-based solution

Uncover potential data governance issues with data-driven analytics

Work with ISACA GDPR pre-loaded frameworks, compliance maps, and best practice accelerators

Automate workflows and reduce audit execution time

Demonstrate GDPR compliance with rich, real-time reporting and dashboards.

ACL’s governance technology powered by data automation can help you get there.Download your GDPR Success Kit at acl.com/ISACA-GDPR