Key Considerations for Assessing GDPR Compliance3 min read
The European Union General Data Protection Regulation (GDPR), which took full effect in May this year, solidifies the protection of data subjects’ “personal data,” harmonizes the data privacy laws across Europe and protects and empowers EU citizens’ data privacy, in addition to changing the way data is managed and handled by organizations.
The GDPR regulation affects people across the globe. The scope of GDPR is quite wide-ranging, and can apply to many global institutions with operations in Europe. Certainly, GDPR has created more power for data regulators, due to the severe potential financial penalties for non-compliance (maximum of 4 percent of annual global turnover or €20 Million, whichever is higher).
A few of the key things to know about GDPR are:
- The regulation governs how institutions collect, record, use, disclose, store, alter, disseminate, and process the personal data of individuals in the EU.
- If a breach involves personal data, the Data Protection Authorities must be notified within 72 hours.
- It governs the rights of data subjects, including rights to access, rectification, erasure, restricting processing, data portability, and rights in relation to automated decision-making and profiles.
How do I assess my GDPR compliance?
All these are essential reasons for institutions to ensure that the proper governance and tactical steps are taken for compliance with GDPR regulation. The GDPR Audit Program Bundle developed by ISACA does just this by helping provide institutions with a guide for assessing, validating, and reinforcing the GDPR regulations by which institutions must abide. The audit program was developed to provide enterprises with a baseline focusing on several key areas and their respective sub-processes, that covers all key components of GDPR, including:
- Data governance
- Acquiring, identifying and classifying personal data
- Managing personal data risk
- Managing personal data security
- Managing the personal data supply chain
- Managing incidents and breaches, create and maintain awareness
- Properly organizing a data privacy organization within your institution
Also included are key testing steps involving control category types and frequency to help facilitate the effective discussion and analysis as it fits your institution. The important thing to remember is that there is no absolute right way to go about becoming GDPR-compliant. However, a robust and thorough review of your GDPR environment as it pertains to data processing for your institution is required to ensure a proper baseline is used to assess compliance and successfully execute a GDPR compliance program.
Editor’s note: ISACA has addressed both general and particular audit perspectives for GDPR through its new GDPR Audit Program Bundle. Download the audit program bundle here. Access a complimentary white paper, “How To Audit GDPR,” here.
Mohammed J. Khan, CISA, CRISC, CIPM, Global Audit Head – IT, Privacy, Medical Device Cybersecurity
[ISACA Now Blog]