GDPR & corporate governance: The Role of Internal Audit and Risk Management

This paper, which is a collaboration between FERMA and the European Confederation of Internal Audit Institutes ECIIA, focuses on the impacts of the GDPR on corporate governance practices in the year following its implementation. Most specifically, it looks at the roles played by internal audit departments and risk management functions.

Using surveys and targeted interviews, the partners gathered input from internal auditors and risk managers from various industries throughout Eu­rope to meet the following objectives:

• Promote good governance alongside the General Data Protection Regulation (GDPR).
• Assess the current situation and identi­fy issues and recommendations for the GDPR.
• Collect best practices regarding good govern­ance for GDPR implementation, including the roles of internal audit and risk management.

Prior to the effective implementation of GDPR in May 2018, most European organisations invested significant efforts to comply with the regulation. As a result, substantial progress has been made in integrating GDPR compliance into existing cor­porate governance frameworks, as well adapting corporate governance to address GDPR challeng­es.

Across Europe and beyond, compliance with the GDPR, or more accurately, compliance failures, has gained significant attention. Organisations need to respond to stakeholders’ concerns about per­sonal data, and boards need independent opinion.

The next review of the GDPR, the reports states, should recognise the relevance of a corporate governance frame­work, such as the Three Lines of Defence model, to embed the management of privacy risks in the organisation. It should also preserve the organi­sation’s ability to innovate. Data protection risks will decrease if the imple­mentation of the GDPR is integrated in all busi­ness processes.

The first part of this report gives the key find­ings from the research and recommendations for stakeholders: European authorities, organisation governance bodies and practitioners, including internal auditors, risk managers and DPOs.

The second part of the report explains the major findings used to support the recommendations.

A webinar will follow on Thursday 5 December at 16:00 CET. During the webinar, speakers from the risk and internal audit professions will discuss the full findings including:

• To what extent the risk manager is involved in the GDPR corporate implementation;
• How GDPR has affected the interactions between risk management and the Data Protection Officer (DPO)?
• What are the best practices and recommendations to embed personal data protection in the risk governance of your organisation?