GDPR and Corporate Governance

The Role of Internal Audit and Risk Management One Year After Implementation

A new publication from The European Confederation of Institutes of Internal Auditing (ECIIA) and the Federation of European Risk Management Associations (FERMA).

The paper focuses on the impacts of the GDPR on corporate governance practices in the year following its implementation. Most specifically, it looks at the roles played by internal audit departments and risk management functions.

The findings in this paper are based on analysis of two anonymous web-based surveys and interviews of selected GDPR stakeholders from various industries throughout Europe.

The main objectives of the publication are:

  • Promote good governance alongside the General Data Protection Regulation (GDPR).
  • Assess the current situation and identify issues and recommendations for the GDPR.
  • Collect best practices regarding good governance for GDPR implementation, including the roles of internal audit and risk management.

Prior to the effective implementation of GDPR in May 2018, most European organisations invested significant efforts to comply with the regulation. As a result, substantial progress has been made in integrating GDPR compliance into existing corporate governance frameworks, as well adapting corporate governance to address GDPR challenges.

Across Europe and beyond, compliance with the GDPR, or more accurately, compliance failures, has gained significant attention. Organisations need to respond to stakeholders’ concerns about personal data, and boards need independent opinion.

The next review of the GDPR, the reports states, should recognise the relevance of a corporate governance framework, such as the Three Lines of Defence model, to embed the management of privacy risks in the organisation.

The first part of this report gives the key findings from the research and recommendations for stakeholders: European authorities, organisation governance bodies and practitioners, including internal auditors, risk managers and DPOs.

The second part of the report explains the major findings used to support the recommendations. We have for example learned that 63% of the professionals indicated that there is a good or strong cooperation between internal audit and risk management in relation to GDPR; more than 70% of organisations ‘board show interest in receiving an independent assurance from internal audit regarding GDPR.