Quick Links

Getting certified against a standard or compliant with data protection legislation is always tough. Maintaining standards can feel like you're on a treadmill of internal audits. Here's how to avoid internal audit burn-out.

The Web of Compliance Requirements

If your organization gathers, processes, or transmits personal data you have to comply with data privacy legislation. That might be legislation put in place by your own government or it might be legislation from overseas, depending on where the data subjects---the people whose data you're processing---have citizenship. It's the citizenship of the data subjects that dictates which external data protection rules and regulations come into play, not where your business is located.

This legislation can soon pile up. For example, the European data protection legislation is the General Data Protection Regulation. If you process any personal data relating to European citizens you need to comply with the GDPR. The United Kingdom left the European Economic Union on Jan. 31, 2021. The data protection legislation in the United Kingdom is now the UK's Data Protection Act (2018) (DPA2018). Chapter Two of the DPA2018 contains a slightly modified version of the EU GDPR. So if you process the personal data of British citizens, you need to comply with that legislation too.

In the U.S. the California Consumer Privacy Act (CCPA) safeguards the personal data and rights of the data subjects of Californian residents. Nevada and Maine have their own legislation in place, and many other states---New York, Maryland, Massachusetts, Hawaii, and North Dakota amongst them--- are implementing or considering their own data protection and privacy laws.

Remember, it's not where you are located that counts, it's where the data subjects reside that dictates whether you need to consider their local data protection laws. There are exclusions for some of these depending on, for example, the number of personal records you process and the turnover of your organization. But you still need to review the legislation to see whether you are compelled to comply or not.

You may need to comply with other professional or industry-specific legislation such as the Health Insurance Portability and Accountability Act (HIPAA), the Children's Online Privacy Protection Rule (COPPA), or the Gramm-Leach-Bliley Act (GLBA).

Want to process credit card payments? You need to satisfy the Payment Card Industry Data Security Standard.

Then there are optional standards that you may choose to adopt and follow such as the European ISO 27001 standard, the UK's Cyber Essentials standard, or the National Institute of Standards and Technology (NIST) Cybersecurity Framework in the U.S. You may be compelled to obtain one of these if your professional body requires it, or a sufficiently large customer requires their suppliers to be certified against a recognized cybersecurity standard.

Many organizations voluntarily adopt and run in accordance with standards like these so that they:

  • Benefit from the structure and governance that the framework will provide.
  • To demonstrate that they take cybersecurity seriously and that clients' personal data will be properly safeguarded.
  • As a business differentiator, or as a "me too". If all your competitors have a certification you'll need to follow suit.
  • Allow them to tender for government, military, or other contracts that require the bidding organizations to meet specific standards.

According to research conducted by cloud security company Telos, the average organization has 13 different security and data privacy-related standards or regulations to comply with. It costs USD 3.5 million each year and consumes 58 man-days per quarter.

The Hamster Wheel of Maintenance

Developing a set of policies and procedures is the first part of achieving compliance or certification to legislation or a quality standard. The second is training and introducing staff to the procedures and processes. The final step is operating in accordance with those policies and procedures and maintaining the system.

The development and implementation eventually comes to an end, as does the bulk of the staff awareness training. New starters will receive training as part of their induction, but the training for existing staff will eventually be completed. The maintenance of the system never ends, however.

You must:

  • Monitor noncompliances and act to rectify the processes or re-train staff so that the noncompliance cannot recur.
  • Check that your employees are following the procedures and that a suitable audit trail is being maintained.
  • Monitor the legislation and standards for changes and amendments, and update your policies and procedures accordingly.
  • Be aware of new legislation as it is enacted, often in other jurisdictions, that might affect your lawful basis for gathering, processing, or transmitting personal data.

With multiple standards or sets of legislation to comply with, that generates quite a workload. The cycle of internal audits and remedial action can be a full-time background task. And inevitably there's going to be a lot of overlap between the different frameworks and a lot of repetition in the type of activities needed to maintain what are effectively quality management systems for privacy and data protection.

That can lead to audits being paid lip service, and conducted as an annoyance that needs to be done as quickly as possible instead of as thoroughly as they warrant. What can you do to avoid compliance audit burn-out?

Establish a Master Control Register

The different legislation and standards may require technology solutions for some issues---such as firewalls and endpoint protection---but the majority of their requirements are controls achieved through governance. These are the operational controls and safeguards that need to be enacted through policies and procedures to ensure every clause or section of the legislation is addressed.

Create a list of all the controls from each of the frameworks that you have to maintain. Establish what each control is trying to achieve. They will have names that vary from framework to framework but you can identify the duplicates by looking at what they are controlling. In each case, pick the most stringent version of that control, and add it to a new list.

That new list will form a baseline that you can audit against. If your internal audit passes and you're auditing against the controls in your master list, an audit of each individual framework will also pass. A framework such as the NIST's Security and Privacy Controls for Information Systems and organizations can help in creating your master list in a formal, auditable fashion.

Your audit frequency should be set by the framework that requires the most frequent audits. You'll be able to spend less time auditing, knowing that all frameworks are covered in a single audit.

Resourcing for Internal Audits

Internal audits don't just tie up those performing the audits and wading through the results. Department heads, team leaders, or their designated deputies become embroiled in finding and providing evidence to prove to the auditors that all mandatory procedures are being followed. A suitably empowered, dedicated audit team removes that burden from others.

You don't want them to be viewed as the audit secret police. It'll be much more productive if they are seen as a collaborative unit that is here to remove the auditing pain points. If a piece of evidence cannot be located or is insufficient the audit team needs to log the incident but also to help correct the issue. Over time you'll find that they are ideally positioned to become audit advocates and to champion security standards and compliance legislation within your organization.

Many organizations are unable to justify a dedicated team, of course. Often the responsibility can be shared amongst a suitable selection of staff, as an adjunct to their main job role.

Another option is to out-source your internal audits. That might sound like a contradiction in terms, but it can be a simple solution. You must locate auditors that are familiar with each of the frameworks you need to comply with, and who understand that they'll be performing internal audits against your master control list.

Because they are an external entity they won't have the network access and other privileges that an internal team would have. They are unlikely to be able to help correct issues or to assist with improving low-grade evidence, however. However, precisely because they are an external entity they may be taken more seriously by other staff.

A Necessary Evil

Auditing burn-out affects the auditors and the audited alike. Using a master control list to audit against allows you to audit to the most stringent requirements of all of your frameworks, and yet reduce the auditing overhead. It also ensures you are always ready for annual audits and spot-check inspections.