GTAG: Auditing Data Privacy

Focus & Features

One of the many challenging and formidable risk management issues faced by organizations today is protecting the privacy of personal information about customers, employees, and business partners. Consumers are concerned with how businesses and organizations use and protect this information. Business owners and management want to meet the needs and expectations of their customers, business partners, and employees; keep any commitments pursuant to contractual agreements; and comply with applicable data privacy and security laws and regulations. Privacy is a global issue. Many countries like the EU's General Data Protection Regulation, US and Philippines have adopted privacy legislation governing the use of personal information, as well as the export of this information across borders. For businesses to operate effectively in this environment, they need to understand and comply with these privacy laws.

To become an effective Internal Auditor, the main objectives of this training are as follows: 1) Understand why Privacy is important in enforcement activity, incident management and laws, rules and regulations, 2) Understand your obligations and ensure compliance with applicable laws and regulations when processing Personal Information and 3) Develop a privacy audit program that will enable you to identify and evaluate the key risks as well as come-up with recommendation on the improvement of your company's privacy compliance program.

Through team exercises, group discussions, case studies, and lectures, attendees will gain a foundation of knowledge that will allow them to properly prepare for and conduct a successful audit of the privacy compliance program.

What You Will Learn

Introduction to Privacy

• What is Privacy?
• Definition of Personal Information
• Examples of Personal and Sensitive Information
• Overview of Philippines Data Privacy Act (DPA)
• Personal Information Controller (PIC) vs. Personal Information Processor (PIP)
• Scope of Processing of Personal Information
• Obligations of PICs and PIPs
• Privacy Roles (Data subject, Data Controller, Privacy Officer, etc.)
• Internal Auditing's Role in the Privacy Framework

AICPA Generally Accepted Privacy Principles (GAPP)

• Management
• Privacy Notice
• Choice and Consent
• Collection
• Use, Retention and Disposal
• Access
• Disclosure to Third Parties
• Security for Privacy
• Quality
• Monitoring and Enforcement

Privacy Maturity Model using the GAPP Framework

• Ad hoc
• Repeatable
• Defined
• Managed
• Optimized

Engagement Planning

• Understanding the business privacy maturity program
• Identifying privacy risks e.g. laws and regulations, business initiatives
• Prioritizing and Classifying Data

Assessing Risks

• Privacy Risks Universe
• Legal and Organizational Risks
• Infrastructure Risks
• Application Risks
• Business Process Risks

Preparing & Performing the Engagement

• Develop a privacy audit program
• Use AICPA GAPP Framework
• Determine inherent and residual privacy-related risks
• Identify Privacy Threats
• Identify the Controls and Countermeasures
• Performing the Assessment
• 1. Test Work Methodologies

2. Vulnerability and Penetration Tests

3. Physical Control Tests

4. Social Engineering Tests

Communicating and Monitoring Results

• Writing audit observations
• Coordination with Data Protection Officer and Legal Counsel
• Selling audit results to Management
• Development of Action Plans
• Monitoring of Audit Recommendations

Case Studies

Seminar Conclusion

Plan for Action

Who Should Attend

Data Protection Officers (DPO), Compliance Officers, Information Security Officers, Internal Auditors