Professional Documents
Culture Documents
HOW TO
AUDIT GDPR
CONTENTS
4 Introduction
5 Overview of GDPR
6 Auditing GDPR: Key Principles
6 /DataControllervs.DataProcessor
7 /Lawfulness,Accuracy,Fairnessand
Transparency
7 / Lawfulness
7 / Accuracy
8 / Fairness
9 / Transparency
1 0 /PurposeLimitation
1 0 /DataMinimization
1 1 /StorageLimitation
1 2 /Confidentiality,Integrityand
Availability
12 / Confidentiality
12 / Integrity
12 / Availability
1 3 /Third-PartyDataProcessors
14 Conclusion
15 Acknowledgments
ABSTRACT
TheGeneralDataProtectionRegulation(GDPR)introducesnewrulesthatgoverntheuse
andmanipulationofpersonaldata.Auditorswillbeindispensableinhelpingenterprises
adheretotheserulesandmaintaincompliance.Thiswhitepaperexplorestheroleof
auditwithrespecttoGDPRandoutlineshowauditscanbedeliveredinaneffectiveand
efficientmanner.
Introduction
TheGeneralDataProtectionRegulation2016/679(GDPR) communicationstechnologiesthatcorporationsand
becameeffectiveon25May2018intheEuropeanUnion. governmentsusetoconnectwithdatasubjects.
ItsupersedestheDataProtectionDirective95/46/EC.
In1989,theconceptofuniversalaccesstoaWorldWide
TheDataProtectionDirective95/46/ECdifferedfromthe Webwasessentiallysciencefiction.Overthelast30
newGDPRinthatitwasissuedasadirective,nota years,dataprotectionlegislationhasdevelopedlittle
regulation.Simplyput,underEUlaw,directivessetout beyonditsinitialattemptstoaddresstraditional
goalstobeachievedbyallmembercountries,whohave communicationsystems,despitemonumentaladvances
theauthoritytodecideuponthenatureofimplementation. inthecomplexityandscopeofdatatrafficoverthe
Regulations,ontheotherhand,areactsofEuropean Internet.
Parliamentand,therefore,arebindinguponallmember
GDPRgivesEUresidentscontrolovertheirpersonaldata1
countriesoftheUnionandsupersedenationallaws.
whereverintheworldtheyortheirdatamayreside.Itnot
1
BecausetheDataProtectionDirectivewas,infact,a onlystandardizesregulationacrosstheEUandthe
directive,therewasalackofconsistencyinitsapplication EuropeanEconomicArea(EEA),italsoaffectsall
acrosstheEU.GDPRseekstorectifythisbutmember enterprisesthatprocessdatafromEU/EEAcountries.
stateshavebeenallowedderogationsthathavetobe Penaltiesfornoncompliancearesevere.Enforcement
justifiedongroundsofnationalinterest. authoritiescanimposefinesupto4percentofworldwide
revenueor€20million,whicheverishigher.
Historically,authoritieshavelaggedbehindrapid
advancesintechnologywhenapproachingdata Figure 1 representskeydomainsandassociated
protectionregulation,particularlyinregardto requirementsunderGDPR.
FIGURE 1: KeyGDPRDomainsandRequirements
Yes DPO required
Response plan
Data processor DPO required
Communicate within 72 hours of
discovery DPO No Public sector DPO required
Data breach
Impact assessment Store or process sensitive data DPO required
Fix No DPO not required
Document data processing Identify
activities Information systems that store or
Secure
Who you are process personal data
Monitor
What you are doing with the data
Documentation Process for rejection
Legal basis for storing and Internal processes
Privacy notices Process for response
processing
Develop systems and allocate
Data retention periods resources to validate and respond to Process for porting data
GDPR subject access requests
Right of complaint to the ICO Process for amending
What
Process for erasure
Where
Management awareness
Why Awareness
Data audit Operations training
Whom it is shared with
Origin Legally entitled
1
1
GDPRdefinespersonaldataas“anyinformationrelatingtoanidentifiedoridentifiablenaturalperson(‘datasubject’).”SeeGDPRArticle4(1).
Today,searchandsocialmediatitanslikeGoogleand maintaincompliance.BecauseGDPRisanew,complex
Facebookexemplifytheubiquityandaccessibilityof andcomprehensiveregulationthatimpactsmultiple
personaldata.Toaddressthisvastcapacityforacquiring, functionalareaswithinanenterprise,auditorswillhave
storingandtransmittingpersonaldataacrosscountless manyquestionsandfacenewchallengeswhenexecuting
enterprisesandgovernmentsalike,GDPRadvancesnew theirduties.Thispaperanticipatesissueslikelytoarise
rulesthatlimittheuseandprocessingofpersonaldata underGDPR,andanswersquestionsthatauditorshave
regardlesswheretheactivitiesareconducted.Auditors nothistoricallyfacedwhenconductingengagements.
arecriticalresourcesinhelpingenterprisesachieveand
Overview of GDPR
GDPRunifiesdataprivacylawsacrosstheEuropean lookingatGDPRinthewaythatWorkingParty292 ofthe
Union,givesindividualscontrolovertheirpersonaldata EuropeanCommissionintended:asaholisticapproachto
2
andprotectstheirprivacy.ItextendsthescopeofEUdata protectingcitizens’personaldata,withtheinterestsofthe
protectionlawtoallinternationalenterprisesprocessing individualatitscore.GDPRdevelopsthepremiseof
thedataofEUcitizens,wherevercitizensmayreside. individualdatasubjectsbeingtheownersoftheirpersonal
dataandconferringrightsandresponsibilitiesonthose
Traditionally,dataprotectioninvolvedarelativelysimple
withwhomthedataareshared.AsGDPRprinciples
setofrulesthatenterprisesfollowedinmanaging
becomeembeddedincorporateprocessesitcouldbe
personaldata.Auditorsdevelopedasuiteofaudit
saidthatfocusingontherightsofthedatasubjectnow
programstovalidatecompliancewithpersonaldatalaws,
displaces,orperhapsreplaces,corporateself-interest.
regulationsandinternalpolicies.
Manyreadersmayquestiontheconceptofownershipin
GDPRlooksatalldatafromtheperspectiveofthedata
theageofbigdata.
subjector“naturalperson,”pertheterminologyofthe
regulation.Thisshiftinregulatoryperspectiveimplicitly Inthelongerterm,whethertheconceptofownershipis
challengesacorporateethosofself-interestthathas compatiblewiththegrowthinthedigitaleconomy,
traditionallyconsideredcorporateneedsfirstandthe governmentsandcorporatesshareinformationinhuge
rightsofdatasubjectssecond. quantitiesandatanincreasinglygranularlevel.Itisused
forsecurity,commerceandbypoliticalparties.Inmany
Accordingly,GDPRforcesauditorstochangetheir
casesitisusedtomodelhumanbehavioratanindividual
approachtopersonaldataandtheirprotectioninan
orcollectivelevel.Forexample,recently,TechCrunch,a
enterprise.
digitaleconomynewssite,noted,“Uber,theworld’slargest
UntilcourtrulingsbegintointerpretandapplyGDPR,and taxicompany,ownsnovehicles.Facebook,theworld’s
ultimatelyyieldacriticalmassofcaselawtoinform mostpopularmediaowner,createsnocontent.Alibaba,
auditingnormsinactualpractice,auditorsandotherswill theworld’smostvaluableretailer,hasnoinventory.And
perhapsnothavecompleteclarityonthesetofvalidation Airbnb,theworld’slargestaccommodationprovider,owns
rules.Intheinterveningperiod,auditorsshouldconsider norealestate….Somethinginterestingishappening.”3 3
2
TheArticle29WorkingPartyincludedrepresentativesfromthedataprotectionauthorityofeachEUmemberstate,theEuropeanDataProtection
SupervisorandtheEuropeanCommission.On25May2018,itwasreplacedbytheEuropeanDataProtectionBoard,underGDPR.
2
3
Goodwin,T.;“TheBattleIsForTheCustomerInterface,”TechCrunch,3March2015,https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-
the-battle-is-all-for-the-customer-interface/
3
likelyleadtoorganizationspushingtheenvelope,which
couldleadtosomeinterestinglegalchallengesinthe
yearstocome.Butinthemeantime,auditorswillneedto
bemindfulofprofilingandconstructauditprogramsto
provideassurancethatthisareaofriskisaddressed
People
Processes
accordingly.
AuditingGDPRisaboutassessingthecontrolsputin
placetorespondtorisk;itshouldconsiderthetrioofrisk Technology
(figure 2)acrossallfacetsofanenterprise:
• People
• Processes
• T
echnology
Information Risk
2 Purposelimitations Bymakingthedatacontrollerresponsible,he/sheisalso
3 Dataminimization accountable,andthissometimesfindsitselfincorrectly
4 Accuracy referredtoastheseventhprinciple.Inreality,thecontroller
5 Storagelimitations isaccountable forensuringcompliancewiththesixkey
6 Integrity and confidentiality principlesreferredtopreviously.Auditorsareconcerned
Each of the above principles is explored in more detail withvalidatingthelevelofcompliance.
later in thispaper.
Supervisory authority
Data breach notification
Data subject(s)
3 Righttoerasureofthedata(righttobeforgotten) beforgottenandrighttorectificationinthese
4 Righttorestrictionofprocessing circumstances.
5 Righttodataportability(tobegivenpersonaldataina
Auditorsshouldvalidatethatthesystemscreatedto
structuredandcommonlyusedandmachine-readableformat
ensurethatpersonaldatathathavebeenputoutofreach
andtransmitsuchdatatoanothercontroller)
asaresultofaSARkeepthosedataoutofreachinthe
6 Righttoobjecttotheprocessingofpersonaldata,including
eventofafullrestorefrombackup.
profiling
7 Rightnottobesubjecttoadecisionbasedsolelyonautomated
processing,includingprofiling,wheresuchprocessingmayhave
Transparency
legalramificationsorsignificantlyaffecttherightsofthedata GDPRArticle12requiresthatanyinformationthedata
subject controller(enterprise)givestothedatasubject(individual)
Theserightsareexercisedthroughasubjectaccess aboutitsdataprocessingpracticesmustbeconcise,
request(SAR).WhileSARshavebeencommoninthe transparent,intelligibleandineasilyaccessibleform,and
UnitedKingdomforanumberofyears,albeitnotinhigh mustbeprovidedinwritingwithinonemonth,atthe
volumesandpredominantlyrelatingtoemployment latest.
issues,GDPRintroducesgreaterrigor.Theorganization’s GDPRdoesnotgiveadefinitionofamonthbutRecital59
responsemustmeetrequirementsfortimescalesand states,“Thecontrollershouldbeobligedtorespondto
informationprovided. requestsfromthedatasubjectwithoutunduedelayand
however,whateverthechoice,itshouldbedocumented
Eachprocessbeginswitharequest,goesthrough andconsistentlyapplied.
validationandresultsinaresponse.Auditorsare
interestedinevaluatingtheappropriatenessofthe GDPRalsodoesnotexpandonwhentheclockstarts
processandtestingitseffectivenessandtheconsistency tickingintermsofrespondingtoaSAR.However,onthe
ofitsapplication. basisthatprovidingpersonaldatatothewrongdata
subjectwouldconstituteadatabreach,itisreasonableto
Newapplicationsmayhaveaccessrequestpoliciesbuilt assumethatanorganizationshouldundertakechecksto
in,butauditorsshouldascertainwhetherthese validatetheauthenticityofaSARbeforeissuinga
applicationshavebeencorrectlyconfiguredandexamine response.Itisthenalsoreasonabletoassumethat,once
howtheyinterfacewithaSARsystemthatmayhavebeen theidentityofthedatasubjecthasbeenconfirmed,the
procuredorcreatedtomanagethisprocess. clockstarts.
Anareathatmayconcernmanyorganizationsisbackup InadditiontoauditorsreviewingandvalidatingtheSAR
andrecovery.Thebackupindustryhasbeenpromoting responselog,theyalsoneedtoconsiderwhetherthe
image-basedbackupsfordisasterrecovery,butthese informationprovidedisindeedconcise,complete,
createchallengesinrelationtoGDPR,whereafullrestore accurateandeasilyunderstandable.Ifthisisnotthecase,
isrequired.Enterprisesmustputprocessesinplaceto thentheorganizationshouldlookatthereasonswhyand
dealwithreapplicationofdatachangesundertherightto amendaccordingly.
whyitiscollectingdata,whatthedataareusedforand
Purpose Limitation
whethertheirusecompliestothestatedprocessing
Article5alsostates,“Personaldata…shallbecollectedfor
purpose.Thesimplestapproachistocreateascheduleof
specified,explicitandlegitimatepurposesandnotfurther
usesofpersonaldataandlinkthisscheduletothe
processedinamannerthatisincompatiblewiththose
personaldatastored.Auditorsshouldexpectthatrecords
purposes.”
areflaggedwithareferencetoadefinedpurposethatwill
Datacollectedforonepurposecannotberepurposed inturndefinethebasis.Auditorsshouldalsoexpecttosee
withoutfurtherconsent.Auditorsneedtounderstandthat evidenceofvalidationandalinktoarecordsretentionand
the purposelimitationinGDPRisverynarrow.This deletionpolicy.
narrow interpretationwasunderlinedinarecentrulingin
France regardingDirectEnergie.Thisruling maybe
Data Minimization
viewedasasignofthingstocomeunderGDPR.
Article5states,“Personaldata…shallbeadequate,
Inthiscase,CNIL(Commissionnationalede relevantandlimitedtowhatisnecessaryinrelationtothe
l’informatiqueetdeslibertés)board,whichenforceslaw purposesforwhichtheyareprocessed.”
ondataprotectioninFrance,issuedaformalnoticeto
Processingshoulduseonlythedataspecificallyrequired
DirectEnergieforfailingtoobtainconsentforthe
toaccomplishagiventask.Thus,tocomplywithGDPR,
collectionofcustomerusagedatafromitsLinkysmart
enterprisesmustimplementdataminimizationrulesand
meters,andorderedittocollectvalidconsentforthe
processesateverystepofthedatalifecycle.
processing.
Enterprisesmustlimitpersonaldatacollection,storage
CNILobservedthatatthetimeoftheinstallationofthe
andusagetowhatisrelevantandnecessaryfor
Linkymeter,customerswereaskedtoprovideasingle
processing.Anewtrendshouldemerge—lessismore—
consentfortheinstallationofthemeterandforthe
andenterprisesshouldnotcollectandstorepersonaldata
collectionofhourlyelectricityconsumptiondataasa
justincasetheymightbecomeusefulinthefuture.
corollaryoftheactivationofthemeterandinorderto
benefitfromcertaintariffs;however,astheinstallation Thekeyconsiderationisthatonlytheminimumdatafora
wasmandatory,customerswereinfactonlyconsenting definedpurposearecollectedandstored.Forexample,
tothedatacollection.Therefore,CNILdeterminedthat employerswhocollectsensitivemedicaldataabouttheir
consentobtainedinsuchawaybyDirectEnergiewas employeeswillhavetoconsiderthereasonswhytheydo
invalid,asitcouldnotbeconsideredfree,informedand so.Forexample,thequestioncanberaisedastowhether
specific.Inaddition,furthershortcomingswerefoundin thedataarerelevantifanindividual:
relationtothecollectionofdailyconsumptiondatafrom
1 Hadahospitalstaythreeyearsagotohaveawisdomtooth
thedistributionnetworkoperator,whichtookplace
removed
withoutrequestingcustomers’consent.4
2 Suffersfromepilepsy
4
Forcompaniesandtheirauditors,thisislikelytobea Thefirstmaynotberelevant,butthesecondcouldbe
trickyareaandonethatwillseemuchactivityinthe relevantwithregardtosafeguardingtreatmentofpatients
courts.Auditorsshouldbeinterestedinthesystemsthat inthefuture.Eachindividualscenarioneedstobe
havebeenputinplacetovalidatethepurpose,especially consideredonitsownmerits.
whereconsentisthebasis.Eachenterpriseshouldknow
4
DataGuidance,France: CNIL’s notice to DIRECT ENERGIE on collection of smart meter data “indication of likely approach of DPAs post-GDPR,” 29March
2018,https://www.dataguidance.com/france-cnil-notice-direct-energie-collection-smart-meters-data-indication-likely-approach-dpas-post-gdpr/
4
Thekeyfortheauditoristoassesstheprocessesand lengthexcepttosaythatpseudonymizationmay
associatedrulesthathavebeenestablishedtovalidate significantlyreducetheriskassociatedwithdata
thedatacollected. processing,whilealsomaintainingthedata’svalue.
Anenterpriseshouldbeabletocreateasetofpurposes Auditorsshouldbeconcernedwithvalidatingthese
thataregovernedbyauditablerulesandassignthese processesandtheirconsistentapplication.Auditors
rulestoeachdatasource. shouldapproachwithcautionandconsiderretentionfirst
andforemostintermsofotherlegislationandregulation
beforeGDPRandtheenterprise’sneeds.GDPRonly
Storage Limitation
replacesexistingdataprotectionlegislationanddoesnot
GDPRArticle5states:
overwriteotherexistinglegislationsuchasthatrelatingto
• Breachresponseplan
• Privacypolicy
5
ISACA,Information Security Management Audit/Assurance Program,2010,www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx
5
Conclusion
GDPRdoesnotreflectawholenewphilosophyregarding relativelynew,othersmightcounterbysayingthatthe
auditingpersonaldata.Rather,itbuildsuponthebasic SARisjustanotherelementofmanagement
applicationofgoodinformationgovernancepractices, information/reportingand,assuch,needstobeaccurate,
albeitwithagreateremphasisontransparencythanan conciseandtimely.Thedistinctionisthattherecipient
auditormighthavepreviouslyencountered. happenstobeamemberofthepublicratherthana
memberoftheboardoraregulatorybody.
ProvidingauditassuranceonGDPRisnotaone-off
process;theregulationrequiresauditorstoconsider Auditorswillbebetterservednottothinkintermsof
personaldatathroughouttheenterprise’sannualaudit GDPRbutratherofdataandtheapplicationoftherules.
plan.WhilesomemightarguethatprocessingaSARis
Acknowledgments
Lead Developer ISACA Board of Directors
Steven Connors Rob Clyde, Chair Chris K. Dimitriadis, Ph.D.
FFA,FFTA,FIPA CISM ISACABoardChair,2015-2017
ITPartner,UnitedKingdom ClydeConsultingLLC,USA CISA,CRISC,CISM
INTRALOT,Greece
Expert Reviewers
Brennan Baybeck, Vice-Chair
CISA,CRISC,CISM,CISSP Matt Loeb
Graham Carter OracleCorporation,USA CGEIT,CAE,FASAE
CorporateISRiskandCompliance ChiefExecutiveOfficer,ISACA,USA
Manager,UnitedKingdom Tracey Dedrick
FormerChiefRiskOfficerwithHudson Robert E Stroud (1965-2018)
Jo Stewart-Rattray CityBancorp,USA ISACABoardChair,2014-2015
CISA,CRISC,CISM,CGEIT,FACSCP CRISC,CGEIT
DirectorofInformationSecurityandIT Leonard Ong
XebiaLabs,Inc.,USA
Assurance,Australia CISA,CRISC,CISM,CGEIT,COBIT5
ISACA is deeply saddened by the passing
ImplementerandAssessor,CFE,CIPM,
Laszlo Dellei of Robert E Stroud in September 2018.
CIPT,CISSP,CITBCM,CPP,CSSLP,GCFA,
CCISO,ITIL GCIA,GCIH,GSNA,ISSMP-ISSAP,PMP
Partner,Budapest Merck&Co.,Inc.,Singapore
Ted Wolff
CISA
Vanguard,Inc.,USA
Tichaona Zororo
CISA,CRISC,CISM,CGEIT,COBIT5
Assessor,CIA,CRMA
EGIT|EnterpriseGovernanceofIT,South
Africa
Theresa Grafenstine
ISACABoardChair,2017-2018
CISA,CRISC,CGEIT,CGAP,CGMA,CIA,
CISSP,CPA
Deloitte&ToucheLLP,USA
AboutISACA
1700E.GolfRoad,Suite400
Nearingits50thyear,ISACA® (isaca.org)isaglobalassociationhelping
Schaumburg,IL60173,USA
individualsandenterprisesachievethepositivepotentialoftechnology.
Technologypowerstoday’sworldandISACAequipsprofessionalswiththe
Phone: +1.847.660.5505
knowledge,credentials,educationandcommunitytoadvancetheircareers
andtransformtheirorganizations.ISACAleveragestheexpertiseofitshalf- Fax: +1.847.253.1755
millionengagedprofessionalsininformationandcybersecurity,governance,
assurance,riskandinnovation,aswellasitsenterpriseperformance Support: support.isaca.org
subsidiary,CMMI® Institute,tohelpadvanceinnovationthroughtechnology.
Website: www.isaca.org
ISACAhasapresenceinmorethan188countries,includingmorethan217
chaptersandofficesinboththeUnitedStatesandChina.
AboutACL
Provide Feedback:
ACL’s purpose-built, cloud-based platform helps IT teams manage www.isaca.org/how-to-audit-GDPR
governance over cybersecurity, privacy, regulations, risk and compliance. ACL
makes it easy to continuously analyze data, enabling robotic automation of Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
governance activities and visualization of patterns. And with over 30 years of
experience, built-in best practices and a professional development ecosystem,
ACL quickly helps IT managers work more efficiently, identify and mitigate Twitter:
risk, reduce compliance pressures, and ensure audit and regulatory readiness. www.twitter.com/ISACANews
LinkedIn:
For more information, please visit: www.acl.com.
www.linkd.in/ISACAOfficial
DISCLAIMER
Facebook:
ISACAhasdesignedandcreatedHow to Audit GDPR (the“Work”)primarilyas www.facebook.com/ISACAHQ
aneducationalresourceforprofessionals.ISACAmakesnoclaimthatuseof
Instagram:
anyoftheWorkwillassureasuccessfuloutcome.TheWorkshouldnotbe
www.instagram.com/isacanews/
consideredinclusiveofallproperinformation,proceduresandtestsor
exclusiveofotherinformation,proceduresandteststhatarereasonably
directedtoobtainingthesameresults.Indeterminingtheproprietyofany
specificinformation,procedureortest,professionalsshouldapplytheirown
professionaljudgmenttothespecificcircumstancespresentedbythe
particularsystemsorinformationtechnologyenvironment.
RESERVATION OF RIGHTS
You can tame the challenge. ACL is the perfect Get up and running fast with our industry-leading
platform to help you define and execute an SaaS-based solution
effective and efficient GDPR audit program. Uncover potential data governance issues with data-
driven analytics
ACL’s single, centralized platform helps you Work with ISACA GDPR pre-loaded frameworks,
compliance maps, and best practice accelerators
manage, audit, and report on your GDPR
program and any other obligations—whilst Automate workflows and reduce audit execution time
providing continuous governance and oversight. Demonstrate GDPR compliance with rich, real-time
reporting and dashboards.