Best Practices for Privacy Audits

Hafiz Sheikh Adnan Ahmed
Author: Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, CISO
Date Published: 18 March 2020

When the EU General Data Protection Regulation (GDPR) rolled out in May 2018, the first questions many asked were, “What is the difference between privacy and security? Is there a different way of assessing privacy and security?” Even today, many people with technology and auditing backgrounds confuse and conflate privacy with security, and they think that doing a security audit is privacy assessment and audit. That is because the 2 sometimes overlap in a connected world. However, they are not the same, and knowing how they differ may help you to protect your organization in an increasingly connected world.

Security refers to protection against the unauthorized access of data. It refers to how an organization’s information and data are protected. Security controls are implemented to limit who can access the information.

Privacy relates to any rights an individual has to control personal information and how it is used.

Security is about the safeguarding of data, whereas privacy is about the safeguarding of user identity. The specific differences, however, are more complex and there can certainly be areas of overlap between them.

For example, hospital and clinic staff use secure systems to communicate with patients about their health instead of sending information via personal email accounts. This type of data transmission is an example of security. On the other hand, privacy provisions might limit patient health record access to specific hospital staff members such as doctors, nurses and medical assistants.

Constant changes in the regulatory environment are putting more pressure on organizations to get data security and privacy right. IT security and privacy is the number 1 technology challenge enterprises face today. IT audit leaders and professionals worldwide likely view security and privacy issues as the top technology challenge because their organizations are changing and evolving because of numerous digital transformation efforts. Shifts of data and processes to the cloud, virtualization, use of artificial intelligence (AI) and robotics, blockchain, and other innovations change the risk and control environment as well.

A security audit evaluates the organization’s information system against a predefined set of criteria. The audit may assess everything from the physical environment and controls to business processes and procedures, IT environment, hardware configurations and user practices.

During a privacy audit, the auditor needs to consider the organization’s key risk factors and controls in the context of the specific legislative and regulatory requirements (e.g., GDPR, California Consumer Privacy Act [CCPA]) in addition to best practices. The auditor will review policies and evaluate procedures for how data are collected, created, received, transmitted, maintained, disposed of and so on.

Traditionally, data privacy involves a relatively simple set of rules that enterprises follow in managing personal data. Auditors have developed a suite of audit programs to validate compliance with personal data laws, regulations and internal policies.

Accordingly, data privacy and protection laws and regulations force auditors to change their approach to personal data and their protection in an enterprise. Auditors are required to:

  • Evaluate the enterprise’s overall posture from a privacy perspective.
  • Ensure that Data Privacy Impact Assessments (DPIAs) are performed as required by the regulation and that other specific regulatory mandates are met.
  • Ensure that privacy is accounted for in audit planning.
  • Evaluate the controls that support privacy initiatives and the completion of all required artifacts, including DPIAs.

To identify privacy risk, the audit should consider areas such as:

  • IT model—Is the organization using appropriate controls, regardless of whether it processes and stores information on premises or with a hosted (cloud) provider?
  • Workflows—How is information transmitted externally and internally? Who has access and how is highly sensitive information classified?
  • Social media—Are policies in place and being followed to avoid accidental disclosure of sensitive information directly or through aggregating and correlating data sources?
  • Wireless/mobile technology—Is there a bring-your-own-device (BYOD) policy, and does it address aspects such as location identifiers, unsecure off-premises Wi-Fi connections and unique hardware identifiers?

The auditor should assign inherent risk factors to the data processes and procedures, and then assess the controls implemented by the organization. The privacy and security controls that organizations use may include:

  • Data encryption, both at rest and in transit
  • Privacy and access controls for databases, such as partitioning
  • Privileged user management, including restricted access to sensitive information based on user role and job function
  • Multifactor authentication
  • Privacy policies that are documented, reviewed regularly and communicated to employees, vendors and other stakeholders
  • Ongoing training programs for staff on security and privacy threats and best practices

In addition to assessing controls, the auditor should review risk-management policies, processes and initiatives, which are typically overseen and implemented by high-level leadership. A high-quality audit should include not only reports of findings, but also an independent analysis that gives the organization actionable feedback.

Hafiz Sheikh Adnan Ahmed, CGEIT, Certified COBIT 5 Assessor, CDPO, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a governance, risk and compliance (GRC); information security and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter, ISACA online topic leader for the CGEIT Exam Prep Community, and member of the ISACA Chapter Compliance Framework Working Group.