BLOGSPOT atas

Wednesday, February 7, 2018

Beyond GDPR Compliance – How IT Audit Can Move from Watchdog to Strategic Partner

Beyond GDPR Compliance – How IT Audit Can Move from Watchdog to Strategic Partner

IT auditors can act as strategic but independent partners to businesses currently working toward compliance with the European Union General Data Protection Regulation (GDPR), scheduled to come into enforcement on 25 May 2018.

Executive management increasingly expects the audit function to add more value to the business as a subject matter expert in all areas of risk management, as well as by supporting key business objectives and strategic initiatives. GDPR compliance is fundamentally a risk management exercise, which the audit function is well equipped to support.

Technology breaks down organizational silos
GDPR requirements require attention and remediation expertise from various functions within the business, including human resources, legal, compliance, marketing, communications and IT. For compliance efforts to succeed, the unintentional walls that often exist between these functions need to be broken.

While GDPR compliance is not solely a technology issue, technology acts as a common denominator across business processes and plays a significant role in the collection, processing, storage and transfer of personal data. This is the reason IT auditors in particular can use their overarching view of technology across the organisation to highlight interdependencies and gaps in GDPR compliance efforts.

In addition to supporting a robust control environment, IT auditors can act as risk consultants while maintaining their auditor independence.

During remediation activity made necessary by GDPR compliance, IT auditors should establish strategic partnerships within the business through:

  • Leveraging their understanding of the technology landscape to provide a big picture view of data risk beyond individual remediation workstreams;
  • Highlighting control interdependencies and escalating potential control design gaps through early identification;
  • Advocating for data privacy risk to be considered and prioritized within IT transformation activities.

Below are five examples of GDPR compliance workstreams and technology domains where IT audit can add value by providing an independent view.

1. Data Protection Impact Assessments (DPIA)
IT auditors acting as subject matter experts can help facilitate discussions so that the risks and impact of processing personal data are considered as early as possible when initiating new IT projects or vendor relationships.

The early identification of data protection risks through DPIA exercises is a significant step for successful implementation of privacy-by-design within:

  • The existing data processing estate;
  • In-flight IT projects (development and acquisition); and
  • Future technologies and longer-term IT changes.

Beyond merely satisfying compliance requirements, IT auditors should help the business take a longer-term view by institutionalising data protection impact assessments (Article 35) and fostering new ways of thinking about the impact of privacy on data processing activities.

2. Data Governance and Data Flows
Organizations (data controllers and data processors) must demonstrate their compliance with GDPR by maintaining records of processing activities under their responsibility and implementing technical and organizational measures (Article 32).

This requirement aligns perfectly with the main objective of data governance – to ensure the management of data as a strategic business asset in order to derive maximum value.

Effective data governance involves understanding data flows within business processes and ensuring the stewardship of data through activities such as developing data architectures, implementing quality management, data integration and meta-data management.

As organizations develop and maintain records of their personal data processing, IT auditors can provide a view on data flow mapping activities. Key questions to ask business representatives include:

  • What personal data items are being collected and in what formats?
  • At what point in the data flow is lawful processing of personal data determined? 
  • Can storage locations and formats easily facilitate the enforcement of data subject rights, including subject access requests, right-to-erasure, rectification and portability?

IT auditors can help facilitate evaluations of the completeness of data flows by sharing good practices from their experience in mapping business processes during scoping activity...

https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=943

===

by Idham Azhari


Virus-free. www.avg.com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)