Building a program? Better get your internal audit game right
Originally published at www.iapp.org
In the wake of several major data security breaches and increasing regulatory pressure on companies to protect confidential information, building an effective privacy program is crucial. Privacy practices are rapidly developing in all sectors and industries, and while non-compliance with the numerous industry, state, federal, and international regulations can cut heavily into profit margins, the effects of a data security breach can kill relationships with customers, vendors, and even stakeholders. According to the Federal Trade Commission, an effective privacy program “addresses the privacy risks related to the development and management of new and existing products and services for consumers; and protects the privacy and confidentiality of personal information.”
When faced with the constant metamorphosis of technology and information use in the global business environment, it can be challenging for a business to correctly identify its unique privacy risks and the sufficiency of any safeguards in place to manage those risks. In this way, a well developed internal audit function is essential.
When building a privacy program, an organization may look to its internal audit function first to assist in analyzing its privacy needs. An internal auditor that is well versed in risk management and the protection of data can aid in conducting privacy impact self-assessments (PIAs) to help identify key areas of privacy risk throughout the development life cycle of business initiatives, products and services, and technology. Further, conducting PIAs with the internal audit function aids businesses in better identifying gaps in existing privacy practices, and connecting applicable laws and regulations to the gaps in compliance activities related to those privacy risks. Once those areas of risk are identified, the internal auditor is the best tool an organization can use to assess privacy risk areas and any existing safeguards in place to control privacy-related risks.
An assessment of the risks should include an assessment of the management, notice, choice and consent, collection, use, retention and disposal, access, disclosure to third parties, quality, monitoring, and enforcement of existing privacy practices within the organization. It can be challenging for companies to perform these assessments without impairing their independence to the audit process. A well developed internal audit function will be trained with the necessary skills and expertise to perform more thorough and objective assessments, which is critical to the design and build of a quality privacy framework.
When the needs of an organization to meet its privacy commitments are accurately identified, it can begin designing the appropriate controls and procedures to be implemented under its privacy program. The organization may choose to consult the internal audit function for guidance on the impact of proposed privacy controls, including those controls related to physical and network infrastructure, data encryption, and training and education. Because of its differential relationship with its organization, the internal audit function is best suited to aid in crossing information barriers that may inhibit the design of an effective privacy framework. The internal auditor can pull together essential privacy considerations, including:
- Existing privacy procedures and practices with internal and external users;
- A multi-faceted layer of applicable laws and regulations in all jurisdictions in which the organization conducts business;
- Liaisons with information technology specialists both internal and external to the organization;
- Liaisons with human resources for adequate training and education of the organization’s users, and
- Organizational consequences of non-compliance or a data security breach.
To have an effective privacy program, companies cannot just design and implement privacy controls, they must also gain the assurance that those controls and procedures are sufficiently managing privacy risks, and are functioning as intended in continuously evolving technology and risk environments. While an organization may find insight working with their internal audit function to develop the appropriate tests for sufficiency, only the internal audit function has the necessary skills, experience, and organizational relationships to independently assess the effectiveness of privacy controls, call for actions to strengthen and improve controls, and evaluate the sufficiency of follow-up mechanisms in place to enhance privacy controls and mitigate weaknesses in the privacy program.