Internal audit can play a strategic role in supporting an organization's GDPR compliance and remediation activities by: 1) Providing expertise and a "big picture" view of personal data flows and requirements. 2) Identifying opportunities to improve data governance and privacy risk management practices. 3) Conducting reviews of key GDPR compliance elements like data mapping, privacy impact assessments, and data subject rights management.

1. Beyond GDPR Compliance
How IT Audit can support General Data Protection
Regulation (GDPR) remediation activities
Omo Osagiede, CISSP, CISA
November, 2017

2. Sub-section
OUTLINE
• Internal Audit as a strategic partner
• The GDPR Audit Universe
• How can Internal Audit support?
• DPIA
• Big picture view of personal data
• Data subject rights
• Pseudonymisation
• Cloud processing
• Big data
@OmoruyiOsagiede

3. Beyond GDPR compliance…
• Many organisations are only focused on May 25, 2018 when the GDPR
becomes enforceable.
• More than merely complying with regulation, GDPR encourages good
practices for data privacy and data protection which should become
embedded within organisations beyond May 2018
• There is increasing expectation from senior stakeholders for Internal
Audit to add value in more strategic business risk areas.
• GDPR compliance is fundamentally a risk management exercise, which
Internal Audit is well equipped to support.
• While maintaining independence, internal auditors can play a significant
role by ensuring that the right data privacy/protection controls are built-
in at the front-end of the compliance journey.
@OmoruyiOsagiede
1

4. The growing strategic partnership role of IA
Traditional role of IA - project focused on its core
competency, reinforcing and monitoring internal control
environment and compliance.
Provide high quality and relevant business
insights to support organisational change.
Serve as subject matter
experts to business
management, supporting
key objectives and
strategic initiatives.
Core IA
competency
@OmoruyiOsagiede
Strategic business
advisor
Expertise
Relationship
andinsight
2

5. Examples of strategic partnership under GDPR
Provide ‘big picture
view’ of GDPR beyond
individual work streams
and highlight control
interdependencies.
Support the cultural
mindset shift from
‘company owns data’ to
‘customer owns data
and we are custodians’.
Highlight potential
control design gaps in
GDPR remediation
activities through early
identification.
Advocate for data
privacy risk to be
considered alongside
digital transformation
and other strategic
initiatives.
IA
#1
#3
#2
#4
@OmoruyiOsagiede
3

6. One view of the GDPR ‘Audit Universe’
Data privacy
risk
management
Data
management/
Inventory
Privacy
principles,
policies &
procedures
Information
security
Privacy
training and
awareness
Data breach
incident
management
Compliance
monitoring
Vendor
Management/
cross border
transfers
Governance /
Program
Management
GDPR
- GAPP
- ICO
@OmoruyiOsagiede
4

7. Examples of GDPR technology considerations
• What types of data do you hold?
• Where is the data held?
• Is unstructured data in-scope?
• How transparent are the
secondary uses of data?
• Are you catering for non-
obvious personal data
identifiers e.g., IP addresses,
RFID tags, cookies, CCTV and
sensitive personal data?
• How are you managing data
subject rights across all
service platforms: voice, web
and mobile?
• How are you discerning
information service users
below legal age limit? (16 - UK)
• How are you managing
privacy in cloud service
environments?
• Can you provide data
subjects with data in
portable formats?
• How are you embedding
privacy into systems
development lifecycles?
• How do you determine
appropriateness of
safeguards: Minimisation,
pseudonymisation,
encryption?
@OmoruyiOsagiede
5

8. How can Internal Audit support?

9. 1. Facilitate Data Protection Impact Assessments
Ref: Article 35 & 36 | Recitals 74 to 96
Embedding DPIA into business-as-usual has benefits for:
Existing data
processing estate
In-flight IT projects
(development & acquisition)
Future dev &
business change
IA acting as an SME can facilitate a risk-
based DPIA approach
Internal Audit should challenge the business to institutionalise DPIA across:
Privacy risk
management
Privacy-by-
design
Vendor
management
Information
security
@OmoruyiOsagiede
6

10. 2. Support a ‘big picture view’ of personal data
Objective: To demonstrate
compliance, controller or processor
should maintain records of processing
activities under its responsibility and
implement technical and
organisational measures.
Objective: Ensure the governance
and management of data as a
strategic business asset in order
to derive maximum value from it.
Article 30 | Recitals 82, 89, 90
GDPR
Business
@OmoruyiOsagiede
7

11. Pseudonymised
data with attribution
IP
addresses
CCTV
images
MAC
addresses
Cookie
identifiers
RFID tags
Name
Date of
birth
Sexual
orientation
Racial
origin
Political
opinions
Religion or
beliefs
Address
Biometric &
genetic data
National
Insurance
number
Criminal
convictions
Trade Union
Membership
Email address
Social media
posts
Bank details
Personal
data
landscape
@OmoruyiOsagiede
8

12. 3. Conduct data flow mapping review
Provide assurance on the data flow
mapping process. Ensure mapping
considers all flows. For example:
Customer Organisation
Vendor (inc cloud)Business
Vendor Vendor
EU organisation Non-EU org
At what point in data generation or
collection is lawful processing
determined?
Questions IA should flag during data
flow mapping exercise
At what point is consent captured (if
used as grounds for processing)?
Do storage locations and formats easily
facilitate data subject rights including:
SARs, right to erasure, rectification,
portability?
Are data retention periods documented?
Are confidentiality, integrity and
availability requirements identified?
What data items are being collected and
in what formats?
@OmoruyiOsagiede
9

13. 4. Identify opportunities to improve data governance
GDPR presents an opportunity for your organisation to join up data governance/
digital transformation work streams with data privacy/protection compliance
objectives.
GDPR data
management/
Inventory
Data architecture &
management
Data modelling & data
development
Reference & Master
Data Management
Data warehouse &
Business Intelligence
Document & Content
Management
Data integration
Database operations
management
Data security
Meta-data
management
Data quality
management
Source: DMBOK Functional Framework v3 (DAMA)
@OmoruyiOsagiede
10

14. 5a. Prepare for the potential increase in data
subject rights requests
18,300
Total data protection concerns brought
to ICO in 2016/17 - 2,000 more than
previous year. Trending upwards
42%
Data protection concerns relating to
Subject Access Requests. Same as
previous year
11%
Data protection concerns relating to
inaccurate data. Lower than previous
year
70%
70% of concerns reported to the ICO centred on
areas where customer service is a key factor.
Source: Information Commissioner’s Annual Report and Financial Statements 2016/17
@OmoruyiOsagiede
11
Will these trends
change after May
2018?

15. 5b. Support enhancements to IT systems
Right to erasure
Data portability
Subject access requests
Consent management
Rectification of
inaccurate data
Restriction of processing
Potential increase in data subject rights requests could result in the need for
technology investment to operationalise business processes to help address
projected volumes and improve customer service.
System requirements
System design &
testing
Systems
implementation
Business process
design & testing
Data subject rights
(customers & employees)
Ref: Articles 13 to 23
@OmoruyiOsagiede
12

16. 6. Ensure segregation: Data pseudonymisation
Questions IA should ask about pseudonymisation:
Does system design permit the
attribution of pseudonymised data
to natural persons through data
enrichment?
Is domain segregation applied to
separate attribution data from
pseudonymised data?
Is access to attribution information
segregated from pseudonymised
data? Who retains the key?
Psuedonymised data
(prod, dev, test)
Attribution data
permitting
re-identification
Process A Process BToxic
combination
Ref: Recitals: 26, 28, 29 | Article 4(5), 25(1), 32(1)a
Domain
separation
Inappropriate
access
Risk-based approach to applying
pseudonymisation? (i.e., are
avoidance, encryption, anonymisation
more appropriate?)
User
@OmoruyiOsagiede
13

17. 7. Review data privacy in cloud processing
Assumption: Your organisation (data controller) may already use a
public cloud (processor) service provider (IaaS, PaaS, SaaS).
Does the org
maintain records of
data processing in
the cloud?
*Do CSP contracts
& MSAs include
relevant clauses for
data protection in
line with GDPR
requirements?
Does cloud solution
architecture provide
data location control
to the org?
Ref: Articles 4(7&8), 24(1), 26 (1), 28, 29, 36
Can CSP assure
support access to
client data is
restricted to EU-
based employees
only?
Who controls
master keys for
encrypting data-at-
rest and in-transit?
Have controller,
processor and
sub-processor
responsibilities
been defined?
Have cloud DPIAs
been performed?
Can CSP support
the delivery of data
subject rights?
Have CSP’s data
protection practices
been reviewed?
*See: CSA Code of Conduct for GDPR Compliance
@OmoruyiOsagiede
14

18. 8. Enable big data WITH privacy
Fairness
Transparency
& Purpose
Limitation Privacy
Enhancing
Technologies
Data
Minimisation
Rights of
individuals
How do you ensure
algorithms are not
repurposed in
unexpected ways and
drawing unexpected
conclusions about data
subjects?
Has organisation
considered other lawful
processing options
other than traditional
consent - which is not
always practical in big
data scenarios where
repurposing is
common?
How do you avoid
excessive data
collection? How do you
guarantee retention and
right-to-erasure?
Does the organisation
maintain adequate meta-
data to facilitate delivery
of data subject rights?
How do you ensure
PETs are designed by
default into big data
solutions?
Business benefits of big data (‘3 Vs*’) - including analysis through artificial
intelligence & machine learning - must be balanced with privacy risks.
Some questions which IA should ask Data Scientists include:
@OmoruyiOsagiede
*Volume, velocity and variety
15

19. How can IA achieve strategic partnership with the business?
Omo Osagiede
https://www.linkedin.com/in/omoosagiede/ @borderless_i
•Thing beyond GDPR compliance.
•Think beyond the annual audit plan.
•Provide the big picture view.
•Keep the business outcomes for GDPR in mind.
•Actively look for opportunities to add value.
•Build relationships.
•Maintain independence.