“Internal auditors use non-personal data in the course of their audits and report critical findings and comments to senior management, the board and the audit committee,” the ECIIA’s response said. “In particular, such data is used to report on weaknesses in internal control processes, risk management and practices in the organisation.”
The ECIIA said it supported the EC’s proposal to guarantee the access to any data across Europe, which, it added, was especially crucial for internal auditors working in a group with offices in different countries across Europe.
“On the basis of the Global Standards for the profession, internal auditors are bound to follow the requirements of mandatory professional guidance, so, in effect, they have a common approach across Europe,” ECIIA President Farid Aractingi said. “Therefore, subject to the principle of subsidiarity, it would be desirable also to take a common approach to the access of data for the Internal Auditors in Europe.”
The EC’s proposals are set out in its document State of the Union 2017: A framework for the free flow of non-personal data in the EU.
They are meant complement its already existing rules for personal data. The new rules will enable the storage and processing of non-personal data across the Union are intended to boost the competitiveness of European businesses and to modernise public services in an effective EU single market for data services.
Starting gun fired for EU data regulation compliance
The European Union has published the final draft of its long-awaited Directive on General Data Protection and the General Data Protection Regulation (GPDR) that enforces it – giving internal auditors two years to help organisations prepare.
“The publication of these documents is the starting gun for companies to get ready for sweeping changes to the way they handle data,” Henrik Stein, ECIIA President says. “Internal auditors need to ensure that their organisations are ahead in that race.”
Companies need plenty of time to prepare because GDPR brings fundamental reform to data protection. That includes ensuring companies obtain explicit and informed consent from customers as to how their information could and would be used. Any person has a “right to be forgotten,” where he or she could request that the data controller must take all reasonable steps for their data to be erased. And businesses need to appoint a designated data officer.
Getting it wrong attracts potentially high fines – from between 2% and 5% of a company’s turnover.
“Data protection is a growing area of public concern and getting it wrong represents a risk of damage to a company’s reputation, in addition to attracting punishing fines,” Stein said. “The time for action is now.”
While the regulation came into force on 24 May 2016, it applies from 25 May 2018. The directive entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
To read the final version of the directive and regulation, click here.
To read the ECIIA’s special report on how internal auditors can prepare for GDPR in European Governance, see pages 9-11.
The ECIIA is to work with the European Commission’s DG Connect group to consult on the body’s emerging Digital Agenda for Europe Initiative.
The move entails members of the ECIIA’s Public Affairs Committee and its Board responding to the EC’s ongoing consultations on data privacy and cybersecurity – two complex and fast-changing areas that internal auditors need to keep abreast with.
“Data privacy and cybersecurity are key issues for our members,” Henrik Stein, ECIIA President, says. “We have decided to work closely with DG Connect in these areas to ensure the voice of internal auditors are heard and that we can keep abreast with emerging developments and ideas.”
This week, the Commission announced that the EU Data Protection Reforms had been agreed by the European Parliament and the Council, following final negotiations between the three institutions – the so-called “trilogue” meetings.
While these reforms herald in groundbreaking changes to data protection across Europe, more consultations on data privacy and cybersecurity are to follow.
The agreed reforms comprise two instruments main instruments:
The General Data Protection Regulation is designed to enable people to better control their personal data. New rules govern the way that companies need to store, retain and handle personal data.
The Data Protection Directive for the police and criminal justice sector aims to ensure that the data of victims, witnesses, and suspects of crimes, are protected in the context of a criminal investigation or a law enforcement action. The more harmonised laws should also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
For the Commission’s open and upcoming consultations in this area, see here.