Mind the Compliance Gaps: Now Is the Time for a Privacy Audit
January 31, 2024
An ounce of prevention is worth a pound of cure, or, in the case of a privacy audit, something much more valuable: the trust of your stakeholders.
Like a privacy assessment, a privacy audit looks at the structure, shape, governance and operational resilience of a company’s privacy and data protection program. Unlike an assessment, however, which serves to evaluate the company’s privacy posture, an audit is a formalized process for evaluating compliance with specific standards or regulations. For example, a well-designed data privacy audit can help an organization define and implement steps to maintain data compliance — and avoid operational trouble.
The request for a privacy audit can come from a variety of sources. It may originate from an internal audit team, or externally, from a client, customer or regulator. A company might also seek to conduct an audit to earn a compliance certification mandated by certain organizations or regulations — for example, the third-party audits required to earn designations such as ISO or SOC (accounting).
While no empirical evidence points to a rise in privacy audits, it’s likely that more companies are undertaking them now, motivated by several factors. For one, global regulations and laws governing data privacy — such as Europe’s GDPR1 and California’s CCPA2 — are increasing in number and complexity, and affecting more companies across all types of industries. This appears to be leading to a greater number of internal audits of privacy compliance programs.
Then there’s the growing risk of regulatory exposure and litigation from third parties (e.g., vendors, suppliers and service providers) in conjunction with a rise in cloud computing and a pervasive risk of data-loss incidents and privacy breaches.3 Almost two-thirds of legal and compliance professionals surveyed by Compliance Week and FTI Consulting in 2023 said third-party risk management was the top risk factor related to compliance and technology, and privacy audits are an important element of third-party risk management efforts.4
Taking a proactive approach to identifying and closing compliance gaps through a privacy audit positions organizations to better mitigate risk and build trust with their stakeholders. Further, being prepared for an audit is strategically smart. An audit request may not be cause for alarm, but it’s clearly better to know how to extinguish a fire before the flames break out.
Assessing the Landscape
The starting place for a privacy audit is an inventory of compliance issues that could potentially affect the business. Then, it must be determined what regulatory bodies have jurisdiction over these matters. For example, a U.S. organization with a footprint in the EU is subject to the GDPR5 and should be able to prepare and provide a record of processing activities, know how a data subject access request (“DSAR”) is triggered, and know how effectively the organization will respond to a DSAR.
Similarly, organizations should determine the privacy rules that apply most directly to the various parts of their businesses. It may be that compliance with privacy rules for human resources, sales and marketing (including digital marketing, employee surveillance, cybersecurity and customer support programs) may all be touched by a privacy audit.
Often, a formal audit request contains a checklist. Sometimes requests arrive with a tight turnaround time, whereas other times regulators and agencies provide advance notice of their requests. Whatever the case, the ability to anticipate typical requests and provide supporting documentation is key to preparation. Plus, closing audit response gaps ahead of time can reduce operational disruption during an actual audit.
After assessing the privacy regulatory landscape, an organization can take on the hard work of defining the scope of the audit, which typically differs agency to agency. Scoping includes identifying internal stakeholders for the audit response and designating team leaders. The team’s mission is to identify and collect documentation during an audit that will satisfy regulators.
Make no mistake, scoping is a major challenge of the process. Even those companies with robust privacy programs that are audited frequently can wrestle with the task.
Getting on the Same Page
Education and communication are essential in a privacy audit. Does an auditor or regulator know the line of business, or have they lumped the company into a category that doesn’t accurately reflect the enterprise and therefore how the organization may be collecting and processing personal data? If a company is a consumer financial institution, for instance, meeting the expectations of a pharma privacy program will be a serious disconnect, and work educating a regulator or other stakeholder will be required to properly scope the audit.
Likewise, it may be smart to educate internal audit teams on privacy policies that are important to regulators. Does the team fully understand the role of the privacy program? If not, it’s possible they could evaluate company data safeguards and security protocols in a way that’s counter to the company’s business objectives and privacy requirements.
These disconnects in understanding the purpose and scope of a privacy program can stall the audit process and even introduce legal repercussions during the audit. This same misalignment of privacy risks may hold true for third parties: Getting them on the same page prior to an audit is critical to success.
Once scoped, conducting tabletop exercises — whether full-on or modified to simply reviewing documentation in a mock audit walk-through — should yield actionable results.
Following the Audit
Companies need to keep in mind that post-audit recommendations or findings (such as program weaknesses) may have to be disclosed to regulators in the future. Audit findings may also find their way to the public, including to third parties or customers, and this disclosure could have a negative impact on reputation. Companies should try to eliminate surprises in their audits; this is where a mock walk-through or test audit conducted by a third party prior to the actual audit can be very helpful.
On the flip side, positive audit results offer organizations an opportunity to focus on the privacy program’s strengths. After all, trust and safety are valuable characteristics in business today.
Coming Full Circle
There’s no doubt that a privacy audit is complex. But it doesn’t have to be disruptive or burdensome. Companies that standardize and automate the process of generating documentation necessary to an audit response will be a step ahead. Generally, if a privacy program has more control over and access to information that’s directly critical to an audit response, say within the system of a third-party partner or privacy program technology, the company can respond more promptly and efficiently during an actual audit.
In the end, understanding the difference between audit findings and recommendations, and knowing how to address each, will bring the process full circle, allowing the company to close any compliance gaps and resume business as usual.
1: Cheng, Sonia. “General Data Protection Regulation (GDPR) Service Sheet,” FTI Consulting (May 9, 2018)
2: “Data Privacy Consulting Services: The California Consumer Privacy Act,” FTI Consulting (accessed Jan. 17, 2024).
3: “Third-Party Risk Management Becomes Dominant Compliance Priority, According to FTI Consulting and Compliance Week Survey,” FTI Consulting (May 16, 2023)
4: “Survey Report: Compliance tech priorities in 2023” Compliance Week (May 15, 2023)
5: Cheng, Sonia. “General Data Protection Regulation (GDPR) Service Sheet,” FTI Consulting (May 9, 2018)
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.