Four methods to obtain assurance on Data Protection implementation and practices (Georges Ataya)
After more than three years for the early adopters and much less for the late comers, organisations continue to invest in implementing data protection good practices and in seeking GDPR compliance. Many inquire on the efficiency or effectiveness of the compliance implementation effort.
Different stakeholders wish to obtain assurance on the compliance posture of their organisations, of their business processes or of their suppliers. Their objective is to verify the progress with compliance investments, to avoid the risks of a penalty, or simply as a routine risk assessment exercise.
I recommend to adopt one of the following assurance practices depending on the contexts of the enquirer, the size of the compliance investment or the risks of liability of one’s own organisation or that of the supplier.
Board members and business owners wish to ensure an adequate return on investment and a justifiable compliance position on various business activities. Executives regularly miss tangible manifestations, dashboards or other useful indicators on how far the organisation effectively went in regards to the investments that were made. They look at a qualified opinion from an external party.
Executives and directors in charge of an organisation playing the role of a Controller, need to limit their liabilities when relying calling on Processors with unproven compliance track record. They need to rely on a proven assessment method that addresses all important activities involving personal data.
Department managers and process owners, such as human resources managers or marketing directors, remain the first accountable crew in implementing and running compliance operations. Their need span from a basic self-assessment to a detailed scan of actual DPO services and of GDPR adjusted processes.
Conducting a self-Assessment
A self-assessment is a tool designed to provide a quick evaluation of an enterprise's functions, processes and procedures that indicate compliance with GDPR. It is typical structured in twenty to thirty questions. The level of detail is typically reduced to a capability level qualifying the domain of compliance. Those include activities/processes such as those related to the management of Data Subject Requests, complaints, personal data identification, data classification, as well as managing access and sub-processing.
When conducting the self-assessment, it is recommended to inventory the attained achievement and to document achievements, references to existing documents, or links to relevant intranet elements.
Running a Quick-Scan
Typically administered by an expert, the Quick-Scan is meant to monitor the compliance in a comprehensive range evaluating all activities that need to be addressed. The quick scan, also called initial assessment could be the first phase that identifies the detailed phases of an implementation program. In that case, it follows the strategy phase, when senior stakeholders, process owners, the DPO and other parties (CIO, CISO) propose a strategy, some priorities and involved parties. They set the focus on the activities and the personal data that present highest risk or they simply initiate an inventory to identify those.
A typical short coming of a Quick-scan is its typical reliance on legal matters only. It falls short on evaluating, beyond the list of established compliance needs, those transformation and operations activities including all individual projects, information security protections, incident handling processing, contracts review sequences and plans, awareness projects, and individual process transformation across the enterprise.
In a typical Plan/Build/Run/Monitor cycle for a data protection compliance implementation, organisations management, legal experts, process owners and Data Protection Officers may suffice of the Plan phase. In the absence of a designated program and relevant projects, functions such as the DPO, the CISO, the CIO or external consultant(s) are engaged in non-coordinated activities. A quick scan should therefore, not only asses the effectiveness of the legal advice and reasonableness of the planned activities, it should also highlight shortcomings with planned implementation projects.
The goal of a formal audit of the GDPR implementation and activities is to provide management and the board of directors with a level of assurance that GDPR-related compliance controls are operating effectively.
The audit should include an assessment of the enterprise’s policies and procedures for managing and for protecting personal data. The GDPR audit should include a review of tools and technology used to input, process, transmit and store information regulated by GDPR. It should identify the phases of the implementation and evaluate their adequacy. It should also adjust the compliance objectives and detailed actions to the declared business objectives, priorities and final goals expected from the compliance investments.
The level of maturity may be evaluated based on alignment enablers such as collected information, designed processes, designated accountability, implemented processes and other enabler dimensions.
The involvement of various experts qualified in each domains of competence will strongly assess internal controls for each domains of compliance in line with defined audit program.
IT audit and assurance professionals understand data protection and records management processes in the context of holistic and integrated business systems. The auditor should dispose of functional and business knowledge to assess alignment with business compliance needs.
The certification is defined in article 42/3 of the GDPR. The Member States, the supervisory authorities, the [European Data Protection] Board and the European Commission encourage, in particular at the Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises must be taken into account.
A certification mechanism can define its scope either generally or in relation to a specific type or area of processing operations and can thus already identify the objects of certification that fall within the scope of the certification mechanism (Source : Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679. Adopted on 25 May 2018).
When assessing a processing operation, the following three core components must be considered, where applicable: Personal data (material scope of the GDPR); Technical systems - the infrastructure, such as hardware and software, used to process the personal data; and Processes and procedures related to the processing operation(s).
Each component used in processing operations must be subject to assessment against the set criteria. At least four different significant factors can be of influence:
1) the organisation and legal structure of the controller or processor;
2) the department, environment and people involved in the processing operation(s);
3) the technical description of the elements to be assessed; and finally
4) the IT infrastructure supporting the processing operation including operating systems, virtual systems, databases, authentication and authorization systems, routers and firewalls, storage systems, communication infrastructure or Internet access and associated technical measures.
Organisations should seek adequate advice when initiating a certification.