In recent years, the term "privacy" has become a prominent topic of discussion, often featured in conversations about cybersecurity, compliance, and more recently, artificial intelligence (AI). Privacy concerns have emerged as a main risk associated with the use of these new technologies.
Various data protection laws exist globally, including the European Union’s General Data Protection Regulation (GDPR),1 China’s Personal Information Protection Law (PIPL),2 and Latin America’s Lei Geral de Proteção de Dados (LGPD),3 among others. The objective of these laws is to ensure that the privacy of citizens is respected and protected.
According to a survey conducted by the International Association of Privacy Professionals (IAPP), nearly 93% of organizations indicated that privacy is among their top ten organizational threats, with 36% ranking it within their top 5.4 As a result, privacy should be a key focus area in audit plans. Auditors should also be aware of high-risk privacy domains to include in their privacy audits, as it may not be feasible to take a comprehensive approach depending on the organization's timing and size.
There are 5 key risk areas that could provide guidance for auditors in today’s evolving privacy landscape. By identifying and defining these key risk areas, auditors can ensure robust and comprehensive privacy oversight.
According to a survey conducted by the International Association of Privacy Professionals (IAPP), nearly 93% of organizations indicated that privacy is among their top ten organizational threats, with 36% ranking it within their top 5.
Governance and Accountability
Governance and accountability refer to the policies, procedures, and processes an organization implements to ensure its data privacy program is effective and compliant with relevant laws and regulations.5 This includes mechanisms (processes, standards, frameworks) for holding individuals and teams accountable for meeting the organization's privacy obligations. Without such a system, demonstrating compliance, ensuring follow-through, and identifying compliance gaps become significantly more challenging. Auditors should expect to find certain controls in this area, including evidence of senior management support for the privacy program, clear policies and procedures for handling personal data, well-defined responsibilities for individuals (including the Data Protection Officer [DPO]), regular training and awareness programs, and mature practices for data minimization and purpose limitation.
Privacy by Design
Privacy by design is a requirement found in privacy laws worldwide. It emphasizes that privacy should not be an afterthought when introducing new systems, modules, or processes, as well as when modifying an existing process that could impact individuals' personally identifiable information (PII). This principle ensures that privacy considerations are integrated early in the development process. Auditors should verify that privacy factors are included at every stage of product development—from ideation to retirement— and should ensure that a documented Data Privacy Impact Assessment (DPIA) process and framework are in place. Additionally, auditors should check that DPO sign-off is obtained at the conclusion of the DPIA process.
Data Subject Rights Management
Data subject rights management refers to the process of receiving, processing, and responding to requests from individuals (data subjects) wishing to exercise their data privacy rights. These rights may include the right to access, rectify, delete, or restrict the processing of their personal data. It is essential for an auditor to confirm that established procedures exist for handling these requests. Additionally, there should be a process in place to regularly assess the effectiveness of these procedures and the overall data subject rights management workflow.
This workflow encompasses various steps, from informing data subjects of their rights to accepting requests through a dedicated channel. It also includes verifying identities, tracking and prioritizing requests, automating responses, discovering relevant data, transmitting information, and communicating with the requester clearly and promptly. Timely responses are crucial; delays can signal to data subjects and regulatory authorities that the organization is non-compliant and may not be trustworthy with personal information.
Contract Management
Certain jurisdictions mandate that any processor or vendor handling data has specific contractual provisions with the organization from which they receive data. Typically, these provisions are outlined in data processing addendums that specify each party's obligations and the security measures in place designed to protect the data. In some organizations, this process is integrated with a mature vendor risk management framework.
The auditor should ensure that there is close collaboration between legal and procurement teams to develop a standardized set of contractual language (e.g., Standard Contractual Clauses [SCCs])6 that safeguards personal information when shared with or received from vendors
Security and Breach Response
According to a 2024 IBM report, the global average cost of a data breach has reached US $4.88 million, reflecting a 10% increase from the previous year and setting a new record high.7 This underscores the importance of mitigating risk and implementing robust security measures. Nevertheless, security and privacy teams acknowledge that even the most comprehensive controls and precautions can fail. Therefore, an organization must have a documented plan to protect, respond to, and mitigate the impact of privacy incidents and breaches.
Auditors must ensure a detailed plan for identifying, reporting, investigating, and notifying affected individuals and relevant authorities about breaches.
Regular testing and refinement of response procedures, along with ongoing monitoring and risk assessments, are crucial for identifying potential weaknesses.
Additionally, there are other privacy considerations, such as notices, vendor risk management, and program management, which are not explored in detail in this article. The objective is not to address every aspect of privacy but to equip auditors with an overview of key risk areas and the appropriate controls to consider during a privacy review. As a next step for the auditor, it is important to now assess your organization's privacy practices, evaluate the effectiveness of controls in the specified domains, and advise on gaps for remediation.
Endnotes
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR]) (Text with EEA relevance)
2 Personal Information Protection Law of the People’s Republic of China, National People’s Congress of China, 29 December 2021
3 Lei Geral de Proteção de Dados (LGPD), National Congress of Brazil (2020)
4 IAPP, Privacy Risk Study 2023
5 IAPP, Privacy Risk Study 2023
6 European Commission, “Standard Contractual Clauses (SCC)”
7 IBM, Cost of a Data Breach Report 2024
Fene Osakwe
Is a multi-award-winning global cybersecurity and digital assurance professional, international conference speaker, Amazon best-selling author, and Forbes-published thought leader. He has more than a decade of experience working on the first, second, and third lines of defense. He has worked for multibillion-US dollar companies and consulted for financial institutions, telecom and fintech companies, state governments, and universities. Osakwe has created security functions for several organizations from the ground up. In a previous role at the largest telecom infrastructure company in Africa and the Middle East, he established security and governance, risk and compliance (GRC) functions. He was recognized as one of the top 10 global cybersecurity leaders under 40 in 2023 by CIOLOOK USA and was named one of the 100 inspiring global personalities of 2022 by Hoinser Magazine. He received the Cybersecurity Excellence award (Middle East and Africa) from Ibento Global in 2022 and was named the Cyber Educator of the Year, in the UK in 2023. Osakwe is an advisory board member on the EC-Council Global Penetration Testing Board and author of the best seller Climbing the Corporate Ladder With Speed.
