Scribd
Upload
240 views4 pages

Best Practices For Privacy Audits

The document discusses best practices for conducting privacy audits. It explains that privacy audits evaluate an organization's compliance with privacy regulations and how personal data is managed, whereas security audits focus more on technical security controls. A privacy audit reviews policies, procedures, and controls related to how personal data is collected, used, shared and protected. It also considers privacy risks across IT systems, workflows, social media use, and wireless technologies. The audit evaluates privacy controls and assigns risk ratings to data processes, in order to provide organizations with actionable feedback to improve their privacy practices.

Uploaded by

Michael
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
240 views4 pages

Best Practices For Privacy Audits

The document discusses best practices for conducting privacy audits. It explains that privacy audits evaluate an organization's compliance with privacy regulations and how personal data is managed, whereas security audits focus more on technical security controls. A privacy audit reviews policies, procedures, and controls related to how personal data is collected, used, shared and protected. It also considers privacy risks across IT systems, workflows, social media use, and wireless technologies. The audit evaluates privacy controls and assigns risk ratings to data processes, in order to provide organizations with actionable feedback to improve their privacy practices.

Uploaded by

Michael
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Best Practices for Privacy Audits

Author: Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-Certified Data


Protection Officer, ISO MS Lead Auditor, ISO MS Lead Implementer
Date Published: 18 March 2020
SHARE

When the EU General Data Protection Regulation (GDPR) rolled out in May
2018, the first questions many asked were, “What is the difference between
privacy and security? Is there a different way of assessing privacy and
security?” Even today, many people with technology and auditing
backgrounds confuse and conflate privacy with security, and they think that
doing a security audit is privacy assessment and audit. That is because the 2
sometimes overlap in a connected world. However, they are not the same,
and knowing how they differ may help you to protect your organization in an
increasingly connected world.

Security refers to protection against the unauthorized access of data. It refers


to how an organization’s information and data are protected. Security controls
are implemented to limit who can access the information.

Privacy relates to any rights an individual has to control personal information


and how it is used.

Security is about the safeguarding of data, whereas privacy is about the


safeguarding of user identity. The specific differences, however, are more
complex and there can certainly be areas of overlap between them.
For example, hospital and clinic staff use secure systems to communicate
with patients about their health instead of sending information via personal
email accounts. This type of data transmission is an example of security. On
the other hand, privacy provisions might limit patient health record access to
specific hospital staff members such as doctors, nurses and medical
assistants.

Constant changes in the regulatory environment are putting more pressure on


organizations to get data security and privacy right. IT security and privacy is
the number 1 technology challenge enterprises face today. IT audit leaders
and professionals worldwide likely view security and privacy issues as the top
technology challenge because their organizations are changing and evolving
because of numerous digital transformation efforts. Shifts of data and
processes to the cloud, virtualization, use of artificial intelligence (AI) and
robotics, blockchain, and other innovations change the risk and control
environment as well.

A security audit evaluates the organization’s information system against a


predefined set of criteria. The audit may assess everything from the physical
environment and controls to business processes and procedures, IT
environment, hardware configurations and user practices.

During a privacy audit, the auditor needs to consider the organization’s key


risk factors and controls in the context of the specific legislative and regulatory
requirements (e.g., GDPR, California Consumer Privacy Act [CCPA]) in
addition to best practices. The auditor will review policies and evaluate
procedures for how data are collected, created, received, transmitted,
maintained, disposed of and so on.

Traditionally, data privacy involves a relatively simple set of rules that


enterprises follow in managing personal data. Auditors have developed a suite
of audit programs to validate compliance with personal data laws, regulations
and internal policies.

Accordingly, data privacy and protection laws and regulations force auditors to
change their approach to personal data and their protection in an enterprise.
Auditors are required to:

 Evaluate the enterprise’s overall posture from a privacy perspective.


 Ensure that Data Privacy Impact Assessments (DPIAs) are performed
as required by the regulation and that other specific regulatory
mandates are met.
 Ensure that privacy is accounted for in audit planning.
 Evaluate the controls that support privacy initiatives and the completion
of all required artifacts, including DPIAs.

To identify privacy risk, the audit should consider areas such as:

 IT model—Is the organization using appropriate controls, regardless of


whether it processes and stores information on premises or with a
hosted (cloud) provider?
 Workflows—How is information transmitted externally and internally?
Who has access and how is highly sensitive information classified?
 Social media—Are policies in place and being followed to avoid
accidental disclosure of sensitive information directly or through
aggregating and correlating data sources?
 Wireless/mobile technology—Is there a bring-your-own-device
(BYOD) policy, and does it address aspects such as location identifiers,
unsecure off-premises Wi-Fi connections and unique hardware
identifiers?

The auditor should assign inherent risk factors to the data processes and
procedures, and then assess the controls implemented by the organization.
The privacy and security controls that organizations use may include:

 Data encryption, both at rest and in transit


 Privacy and access controls for databases, such as partitioning
 Privileged user management, including restricted access to sensitive
information based on user role and job function
 Multifactor authentication
 Privacy policies that are documented, reviewed regularly and
communicated to employees, vendors and other stakeholders
 Ongoing training programs for staff on security and privacy threats and
best practices
In addition to assessing controls, the auditor should review risk-management
policies, processes and initiatives, which are typically overseen and
implemented by high-level leadership. A high-quality audit should include not
only reports of findings, but also an independent analysis that gives the
organization actionable feedback.

You might also like