IIA training and events

Data protection

Data is used by all businesses – from insurance firms and banks to social media sites and search engines. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore. The General Data Protection Regulation (GDPR) is an EU initiative which came into force in the UK on 25 May 2018, replacing the Data Protection Act 1998. It introduced wide-ranging changes to UK data protection legislation.

GDPR is a key concern for three reasons:

  1. Personal data is so pervasive that virtually every organisation holds it, making the scope of GDPR unmatched.
  2. Penalties for failing to comply are potentially huge.
  3. Boards should have already prioritised GDPR.

Internal audit is well placed to provide assurance by providing a top down risk assessment of how likely the organisation is to comply.

The GDPR standardises data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII).

It also extends the protection of personal data and data protection rights by giving control back to EU residents, along with introducing significant penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It is widely expected that the UK will continue to comply with GDPR even after Brexit. Internal auditors need to understand how it affects their organisation.

The business benefits of the GDPR

  1. Build customer trust
  2. Improve brand image and reputation
  3. Improve data governance
  4. Improve information security
  5. Improve competitive advantage

Miss our recent webinar on GDPR?

Our recent webinar, hosted by our partner ACL, examined the role of internal audit within an organisation's GDPR agenda. It free to view – you'll just need to provide a few details.

Watch it now


Key changes in the new regulation

Seven key changes in the new regulation highlighted along with seven key questions for internal audit.

Read our summary of the key changes


10 key questions that we as internal audit can ask of the organisation 

  1. Has a risk assessment been conducted to understand whether the organisation is compliant and where further work is required?
  2. Has the organisation mapped out its personal data assets (as distinct from other data assets)?
  3. Is the organisation’s cyber perimeter secure and are personal data assets protected, eg encrypted?
  4. Does the organisation process personal data on a large scale and/or is the organisation a public body and if so has an internal/external Data Protection Officer been appointed?
  5. Do assurance providers have access to the DPO role however it is provided?
  6. Has a reporting procedure to the relevant national authority been established for use in the event of a personal data breach?
  7. Has the organisation established a programme to raise awareness and train personnel on the management, security and disclosure of personal data?
  8. Have data protection principles been enshrined into contracts with relevant third parties/data processors?
  9. Is sensitive data protected, stored and backed up securely?
  10. Are measures in place to ensure the organisation remains compliant after 25 May 2018, including adding a work programme to the audit plan for 2018/19?​

Brexit and data protection regulation in the UK

How will this EU directive impact your organisation following the result of the UK's referendum to leave the EU?

The new regulation came into force on 25 May 2018 in the UK without the need for domestic legislation whilst we remain part of the EU.

In addition, Article 3 of the Regulation provides for extra-territorial effect meaning that the Regulation will apply to businesses based outside of the EU where:

  • Goods or services, irrespective of whether a payment is required, are offered to individuals located within the EU; or
  • Monitoring of EU individual's behaviour takes place as far as their behaviour occurs within the EU.

Given the above, many businesses with supply chains or customers in the EU will therefore need to ensure they are meeting the regulation, regardless of UK decisions on data protection law.

Personal data from the EU may only be transferred to jurisdictions which protect that data as per EU standards. 

We will publish further comment once we know more about the Brexit plan. Monitor the Information Commissioner’s Office for statements on Brexit. Internal auditors in the Republic of Ireland should continue with their plans, and may find the Data Protection Commissioner useful.


GDPR: What? When? Why

Awareness must now become action – and internal audit should be involved at all levels, to help management better understand and mitigate the related risks.

Read about the steps to take


Data breach incidents and response plans

GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where feasible. We look at the features that should be included in the plan and the work that internal audit can undertake.

Read about planning for data breaches


Data security in third party agreements

Asking a third party to provide a service or product can deliver important benefits – it also increases exposure to loss, theft and misuse of data. 

Read how to avoid these issues


Content reviewed: 1 October 2019