GDPR - the expansive role of internal audit

In an era of big data and digitalisation, the financial and reputational penalties from a data breach mean that the General Data Protection Regulations (GDPR) will always be high profile. Audit leaders need to maintain proportionality; it would be remiss to continue to advise on improving data management processes when an organisation is heading into liquidation. A major data breach could, likewise, be disastrous if everyone, including internal audit continues to focus on an aggressive acquisition strategy.

On 25th May 2018, with a fanfare rarely seen in the compliance world, GDPR came into force in the UK. This guidance briefly summarises it and encourages audit leaders to think about a broad spectrum of compliance assurance for the internal audit plan.


An almost compulsory prelude to any discussion…

The Data Protection Act 2018 will remain in place. The government intends to bring GDPR directly into UK law on exit as part of the EU Withdrawal Bill, with minor adjustments in respect to law and enforcement arrangements.

The Information Commissioners Office (ICO) has guidance on this.

The government has published details of amendments in the event of a no-deal Brexit.

GDPR summary

GDPR specifically relates to personal data.

At its heart are seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

When it became law, the ICO noted that GDPR represents an 'ongoing journey' and this is how organisations should be thinking about compliance with the rules. 

At the time, the information commissioner, Elizabeth Denham said “those that merely comply, that treat the GDPR as another box-ticking exercise, miss the point. And they miss a trick because this is about restoring trust and confidence. This is about commitment over compliance. It is up to you and your boards, and your…