It is always difficult to get certified to a standard or comply with data protection law. Maintaining standards can feel like you are on a treadmill of internal audits. Here̵
The Web of Compliance Requirements
If your organization collects, processes or transmits personal information, you must comply with data privacy laws. This could be legislation enacted by your own government or it could be overseas legislation, depending on where the data subjects – the people whose data you process – have citizenship. It is the citizenship of the data subjects that determines what external data protection rules and regulations play a role, not where your business is located.
This legislation can quickly accumulate. European data protection legislation is, for example, the General Data Protection Regulation. If you process personal data of European citizens, you must comply with the GDPR. The United Kingdom left the European Economic Union on January 31, 2021. Data protection law in the United Kingdom is now the UK Data Protection Act (2018) (DPA2018). Chapter two of the DPA2018 contains a slightly modified version of the EU GDPR. So if you process the personal data of UK citizens, you must also comply with that legislation.
In the US, the California Consumer Privacy Act (CCPA) protects the personal data and rights of those affected by California residents. Nevada and Maine have their own laws, and many other states – including New York, Maryland, Massachusetts, Hawaii and North Dakota – are implementing or considering their own data protection and privacy laws.
Remember, it doesn’t matter where you are, it is where the data subjects reside that determines whether you need to respect their local data protection laws. For a number of these there are exclusions depending on, for example, the number of personal data you process and the turnover of your organization. But you still need to review the legislation to see whether or not you are required to comply.
You may be required to comply with other professional or industry-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Rule (COPPA), or the Gramm-Leach-Bliley Act (GLBA).
Process credit card payments? You must comply with the Payment Card Industry data security standard.
Then there are optional standards you may Select adopt and follow, such as the European ISO 27001 standard, the UK Cyber Essentials standard or the National Institute of Standards and Technology (NIST) Cybersecurity Framework in the US You may be forced to adopt one of these if your professional body requires it, or a large enough customer requires their suppliers to be certified to a recognized cybersecurity standard.
Many organizations voluntarily adopt and operate in accordance with such standards so that they:
- Take advantage of the structure and governance that the framework will provide.
- To demonstrate that they take cybersecurity seriously and that customers’ personal data is properly protected.
- As a business differentiator, or as ‘me too’. If all of your competitors have certification, you should follow suit.
- Have them bid for government, military, or other contracts that require the bidding organizations to meet specific standards.
According to research by the cloud security company Telos, the average organization must adhere to 13 different security and data privacy-related standards or regulations. It costs $ 3.5 million per year and consumes 58 man-days per quarter.
The Hamster Wheel of Maintenance
Developing a set of policies and procedures is the first part of achieving compliance or certification with legislation or a quality standard. The second is to train and introduce personnel to the procedures and processes. The final step is to operate in accordance with those policies and procedures and maintain the system.
The development and implementation eventually comes to an end, as does most of the staff awareness training. New starters will receive training as part of their induction, but training for existing staff will eventually be completed. However, the maintenance of the system never ends.
- Monitor non-compliance and act to rectify processes or retrain staff so that non-compliance cannot recur.
- Check whether your employees follow the procedures and whether a suitable audit trail is maintained.
- Monitor laws and standards for changes and adjustments, and update your policies and procedures accordingly.
- Be aware of new legislation as it comes into effect, often in other jurisdictions, that may affect your legal basis for collecting, processing or transmitting personal information.
With multiple standards or sets of legislation that must be met, this generates a considerable workload. The cycle of internal audits and corrective actions can be a full-time background task. And inevitably there will be a lot of overlap between the different frameworks and there will be a lot of repetition in the kind of activities needed to maintain what are in fact quality management systems for privacy and data protection.
That can result in audits being rewarded with lip service and as an annoyance that should be done as soon as possible rather than as thorough as they warrant. What can you do to avoid a compliance audit burnout?
Set up a Master Control Register
The different legislations and standards may require technological solutions to some problems, such as firewalls and endpoint protection, but the majority of their requirements are controls achieved through boardThese are the operational controls and safeguards that must be carried out through policies and procedures to ensure that every clause or section of the legislation is addressed.
List all of the controls of each of the frameworks that you need to maintain. Determine what each control is trying to accomplish. They have names that vary from framework to framework, but you can identify the duplicates by looking at what they check. In any case, choose the strictest version of that control and add it to a new list.
That new list provides a baseline for you to check. If your internal audit succeeds and you check against the controls in your master list, an audit of each individual framework will also succeed. A framework like the NIST’s security and privacy controls for information systems and organizations can help create your master list in a formal, auditable way.
Your audit frequency should be determined by the framework that requires the most frequent audits. You don’t need to spend as much time on auditing knowing that all frameworks are covered in one audit.
Resources for internal audits
Internal audits don’t just bind those who conduct the audits and ford the results. Department heads, team leaders or their designated deputies become involved in finding and providing evidence to prove to auditors that all mandatory procedures are followed. An appropriately authorized, dedicated audit team removes that burden from others.
You don’t want them to be seen as the secret police. It will be much more productive if they are seen as a collaborative unit that is here to overcome the pain points in auditing. If evidence cannot be found or is insufficient, the audit team should log the incident, but also help resolve the issue. Over time, you will find that they are in the ideal position to become audit attorneys and stand up for security standards and compliance laws within your organization.
Of course, many organizations are unable to justify a dedicated team. Often the responsibility can be shared among an appropriate selection of personnel, in addition to their primary function.
Another option is to outsource your internal audits. That may sound like a contradiction in terms, but it can be a simple solution. You must find auditors who are familiar with each of the frameworks that you must comply with, and who understand that they will conduct internal audits based on your master checklist.
Since they are an external entity, they do not have the network access and other privileges that an internal team would have. However, they are unlikely to be able to solve problems or improve low-grade evidence. But precisely because they are an external entity, they can be taken more seriously by other employees.
A necessary evil
Audit burnout affects both auditors and auditors. By using a master checklist to audit, you can perform audits against the most stringent requirements of all your frameworks, while still reducing auditing overhead. It also ensures that you are always ready for annual audits and spot inspections.