The word audit does not conjure especially pleasant thoughts for people. It is considered to be when (normally) your financials are poured over to try and find mistakes, which in some cases could even send somebody to jail. They have stopped presidents releasing tax returns, been the focus of a Simpsons episode and are universally thought of as a profoundly negative thing.
However, accuracy in financial auditing is essential, and those who fail to perform their primary roles effectively are punished. Think about Arthur Andersen, who changed the legal landscape around auditing following the collapse of Enron. It was considered one of the best and most respected accountancy firms in the world, now it is little more than a side note in US corporate history.
A focus on accounting and financial responsibility has existed for a long time and since the housing price crash in 2008, it has been even more important. However, the same cannot be said of data.
It is not too much of a cognitive leap to see that data is often as important, if not more important, than finances. After all, within the data a company holds, the financial information is often present anyway, alongside almost everything from personal employee data through to sales figures and strategies. Despite this, there is currently no formal data auditing process, either for security or for accuracy.
A data audit today means looking through and examining the accuracy of your own data, updating older data sets and checking the accuracy of what’s held. Firstly, it does not formally address anything to do with data security, which is arguably the most important element of any data strategy. And, equally, it is more often than not done internally, often by the very people who are paid to keep data secure.
The system in the US is very confusing. Different states have different laws, some of which supersede federal laws and other federal laws that supersede those of the state. It makes it a very confusing set of rules to enforce and audit for, as an auditor can look at one company’s data in one state and say its fine, but in another it would be deemed in breach of multiple rules.
However, there is one key reason why independent auditors will begin to work to a specific set of rules in the coming years.
This is the General Data Protection Regulation (GDPR), an EU law coming into force in 2018 which will put specific standards on how companies store any kind of data relating to European citizens. Although this is a European law, specifically for EU citizens, the global nature of many companies means that this same protection will extend to everybody. For example, if a company based in the US were to have a database with information for 1 million US citizens and one European, that database would need to conform to the GDPR because it contained the data for that one European citizen.
This regulation requires stronger protections than most states, and even for states where it isn’t, it creates a foundation upon which other additional security can be built. It is also complex, given that every country in the EU is required to have their own enforcement unit and companies who are hacked and lose data from each country need to report it to that specific agency. It may also lead to an enforcement element too, where at any point a company holding data on a French citizen could be audited by the French data authority, for example. This will be in a similar vein to the random auditing done on company finances, forcing companies to constantly maintain their data security and storage methods.
At the moment, the exact details of this and how it will impact companies is yet to be seen. The framework is yet to be finalized, with elements like Brexit and the new US administration, potentially complicating its implementation. To further muddy the water, the regulations are 201 pages long, which alone demonstrates their complexity.
However, regardless of the complexities that the regulation is likely to create, it will have a profound impact on how our data is stored and more importantly, how companies are held to account on their data storage.