GDPR Regulatory Compliance and the Role of Internal Audit: Theoretical & Practical Approach
Abstract
The General Data Protection Regulation (GDPR) is already in place from 25 May 2018, when it superseded EU member state implementations of the 1995 Data Protection Directive (DPD). Compliance with the GDPR is a legal requirement and can directly impact an Organization’s reputation and shareholder’s value. Sanctions for non-compliance include fines (maximum 4% global turnover), orders to stop using data or for measures to make its use compliant, regulator audits, and “class action” by privacy groups (e.g. consumer privacy groups or prompted by Works Councils). Other data protection sanctions include criminal sanctions for certain breaches and there is increasing support in the UK and other jurisdictions for extending personal liability to directors and managers. The GDPR introduces new obligations, strengthens existing requirements and enhances people’s rights in relation to their personal data. The legislation applies not only to EU affiliates that process personal data of anyone regardless of where they reside, but also applies to non-EU affiliates that process personal data relating to people within the EU. According to an old adage, there is no such thing as bad publicity. Data leakage cases throughout the years proved that it is not enough for companies to develop and implement comprehensive privacy practices, they need also the assurance that the practices are functioning as intended in an ever-changing risk environment and internal audit is the most important provider for this.