1. The Role of Internal Audit in the Implementation of the GDPR
Dimitris Mouzakitis – Manager of Governance, Compliance and Risk Management
CISM, CRISC, PCI QSA, ISO 27001 Lead Auditor
May 25th, 2017
2. WWW.ODYSSEYCS.COM
Overview of the GDPR
• The General Data Protection Regulation (GDPR) was approved by the European
Parliament on April 2016
• Will apply to all EU member states from May 25th, 2018
• Its primary purpose is to protect and provide rights to EU citizens whose data is
being collected and/or processed by organizations
3. WWW.ODYSSEYCS.COM
Overview of the GDPR - Definitions
Personal Data: Any data identifying a living person (directly or indirectly)
Applicability: Globally – as long as EU citizens’ data is collected/ processed
Breach Notification: Notify the Supervisory Authority up to 72 hrs after being aware of it
Opt-in Consent: Shall be clear and personal data shall only be used as agreed
Joint Liability: Data Controllers & Processors
4. WWW.ODYSSEYCS.COM
Overview of the GDPR
Data Subjects (owners of data) may demand:
• To know how data was initially sourced
• Their data to be updated or even deleted
• Right to object to direct marketing
• Compensation for damage if data is lost
• The Regulator to investigate a concern
5. WWW.ODYSSEYCS.COM
Overview of the GDPR
Fines for Non-Compliance
Up to €20 Million or 4% of annual global turnover (whichever is higher)
Fines are likely to be based on:
• The volume of data lost
• Policies, Procedures and technology in place to reduce risk
• Level of Employee awareness
Fines are officially published by the Regulator when imposed
6. WWW.ODYSSEYCS.COM
The Role of Internal Audit in the Implementation of the GDPR
An effective Internal Audit function has the enterprise-wide perspective to help
organizations realize and address the needs of the Regulation.
In addition, as an independent assurance provider, IA can deliver experience, skills,
and knowledge needed to recognize the organization’s security strengths and
weaknesses and to test and improve compliance capabilities.
7. WWW.ODYSSEYCS.COM
The Role of Internal Audit in the Implementation of the GDPR
Internal Audit is not only Auditing… is performing Consulting activities as well
• Could identify Risks
• Propose better ways and best practices
• Offer suggestions for improvement
• Co-operate with other Functions/ Departments to find solutions
• Elevate issues to a level where they can be corrected
8. WWW.ODYSSEYCS.COM
Internal Audit can be involved in the following major tasks towards GDPR compliance:
• Work with Management to understand their objectives
• Help Management to provide a framework for making appropriate risk-mitigation
decisions and building organization resilience
• Perform Gap Analysis against GDPR requirements to identify areas for improvement
• Perform full/ partial compliance assessment(s) acting as the Regulator
The Role of Internal Audit in the Implementation of the GDPR