What Do Regulators Look for in Privacy Audits?
- Key risk factors that regulators look for in a privacy audit
- Free privacy audit checklist to help establish compliance
- The latest with HIPAA compliance and audits
Read more below.
Privacy Audit Checklists and Best Practices
Privacy audits are as sure as the rain in the Pacific Northwest. That’s why it’s important to manage them successfully when regulators come calling. Especially since the FTC has recently indicated increased scrutiny on privacy violators and violations. “We’re going to make sure that data abusers face consequences for their wrongdoing,” Erie Meyer, FTC technologist, said recently, at PrivacyCon 2021, an annual event that focuses on consumer privacy and data security.
FTC Commissioner, Rebecca Kelly Slaughter, stated, “Data abuse reflects the fact that rampant corporate data collection and sharing and exploitation harms consumers, workers, and competition.”
Privacy compliance is more than just the right policies and paperwork; Meyer warns that companies shouldn’t come into compliance simply by “papering over questionable conduct.”
To help prepare your organization for a privacy audit, let’s examine how privacy professionals can get their privacy compliance ducks in a row and take a look at what regulators look for in privacy audits.
Privacy Audit Checklist
What do regulators look for in a privacy audit? They look for key risk factors and controls in the context of legislative and regulatory requirements, such as GDPR and California Consumer Privacy Act. The auditor reviews policies and evaluates procedures for how data is collected, created, received, transmitted, maintained, and disposed of, according to Hafiz Sheikh Adnan Ahmed, CGEIT, COBIT 5 assessor.
Ahmed explains that, in a privacy audit, data privacy and protection laws and regulations have forced auditors to evaluate an enterprise’s overall posture from a privacy perspective, ensure that risk assessments are performed as required by regulations, and ensure that privacy is accounted for in audit planning.
Consider this privacy audit checklist from Harvard:
- Assess the statutory/regulatory climate(s) affecting your organization.
- Account for industry/trade organization affiliations: are there any self-regulatory initiatives with which your policies and practices must comport?
- Consider the media climate: are there certain practices on which you should focus during your assessment? (i.e., cookie use, web-bug use, or other media hot-button issues).
Conduct a privacy risk assessment
- This process will aggregate the data necessary for informed policy and procedure formation and revision.
- Establish an internal privacy task force or working group, including members of legal, government relations, IT/IS, sales, public relations/marketing communications and other relevant groups within the organization.
- It is critical that the project leader (presumably the CPO/Privacy manager) obtain senior management buy-in early in the process, as their cooperation will be critical in successful advancement of the initiative.
- Only then should the team begin a review of company collection, maintenance, security, use, disclosure to third parties, and prospective strategies.
Classify information into general categories
- Personally identifiable/non-personally identifiable
- Information subject to specific statutory/regulatory requirements
- Medical information
- Financial information
- Information collected from children under the age of 13.
- Assess requirements domestically and abroad, in all relevant jurisdictions.
Map data flows
- One of the products of this assessment will be a “data map”, providing detailed information about how information is being received, utilized, managed, and passed on by your organization. In conducting this assessment, you should answer the following questions.
- What information is moving intra-departmentally or intra-personally within your organization?
- What information is moving from your organization to third parties?
- What information is your organization receiving from third parties?
- What relevant information is moving across state/national boundaries?
- The answers to these questions will determine your level of privacy-related exposure, and should inform your organizational privacy strategy.
How to Establish Privacy Fortitude (and Minimize Risks)
When it comes to privacy management, many privacy professionals turn to intelligent incident response for consistent assessments in risk decisioning and determination. This reduces risk organization-wide by proving (to regulators) a consistent and defensible process to make the right notification decision every time.
Radar provides an automated privacy incident risk assessment with mechanical efficiency that helps:
- Reduce risk of fines and investigations
- Reduce risk of failing to meet contractual obligations
- Reduce time and cost with keep up to date on regulations
For the privacy landscape rife with complex data breach regulations, intelligent incident response is a permanent solution — especially when auditors and regulators are lurking in the wings. With patented automated risk assessment, Radar delivers a future-proof solution to make consistent and defensible decisions – in a fraction of the time compared to manually tracking regulations.
“Understanding the nuances in a law’s risk of harm standard (or lack thereof) is critical in developing a consistent breach notification and documentation program,” states Kelly Burg, lead product manager at RadarFirst.
Burg outlines risk-reducing measures for organizations, which go a long way in developing a consistent incident response and breach notification program, and, consequently, help organizations with privacy fortitude. These include:
- Know if a risk of harm standard is provided for in the applicable law.
- Conduct a multi-factor risk assessment.
- Have a consistent notification policy approach.
- Consider whether there are obligations related to a determination of unlikely harm.
The Latest with HIPAA Compliance and Audits
It’s important that organizations continue to meet compliance with the HIPAA Enforcement rule. HIPAA is still enforced through various enforcement actions dictated by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), reports Tripwire.
If there are issues or complaints about non-compliance, the OCR will investigate and possibly take action and even “may levy penalties and fines.”
For an always up-to-date library of hundreds of global privacy laws, rules, and regulations to stay current on existing and proposed legislation, Breach Law Radar is a free resource of global breach notification laws and all 50 U.S. state regulations.
Pacific Northwesterners always have a trusty parka handy for the rainy season. Since it’s always raining privacy, a trusty incident response solution is the way to go in order to current-proof and future-proof your data breach regulation compliance.
You may also be interested in:
Topics: Incident Response Management