FEATURE

Aligning COSO and Privacy

Frameworks to Manage Privacy
in a Post-GDPR World
There is one constant in the data privacy landscape: 2013 Internal Control—Integrated Framework,
change. The EU General Data Protection Regulation a well-established, widely used framework.
(GDPR) was adopted in 2016 to protect the
personal data of EU citizens and harmonize data There are several privacy standards and
privacy laws across EU member states. Since then, frameworks that can underpin a privacy program.
data privacy has become a growing concern for Some governments and national standards bodies
boards of directors (BoDs). While global have developed standards to facilitate compliance
organizations, in addition to healthcare and with privacy and data protection requirements, such
financial institutions, had some prior experience as British Standard 10012, which establishes a path
with privacy regulations, compliance with the toward certification to demonstrate compliance
growing number of comprehensive privacy laws, with data protection regulations like GDPR.2 Others
e.g., GDPR, Brazil’s data protection regulation (Lei have outlined frameworks for ensuring that
Geral de Proteção de Dados [LGPD]) and new US appropriate privacy protections are in place.
state laws such as the California Consumer Privacy
Act (CCPA) are new and unknown business
challenges for many organizations. This is a rapidly
growing issue—a number of US states proposed new
privacy laws in 2019, and countries around the globe
have enacted many other new regulations over the
last three years. Simply put, keeping up with privacy
compliance is now a never-ending task.1

Many organizations are actively looking for

standardization in evaluating privacy risk and
ensuring that the controls in place align with
enterprise risk management objectives. Compliance
can be streamlined by aligning new privacy
frameworks with the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)

Donel Martinez, CISA, CAMS, CSF Practitioner

Is a director in the risk advisory practice of Focal Point Data Risk, specializing in audit and compliance and their application to
areas such as cybersecurity and privacy. Martinez has led many large-scale compliance engagements covering areas such as IT,
information security, the US Sarbanes-Oxley Act of 2002 (SOX) and data privacy. He has extensive knowledge of regulatory
standards and frameworks, including SOX, the US Health Insurance Portability and Accountability Act (HIPAA), US National
Institute of Standards and Technology Cybersecurity Framework (NIST CSF), ISO 27001, the US Bank Secrecy Act (BSA) and
US-state-specific standards.

Joshua Marks, JD, CIPP/US

Is a manager with Focal Point Data Risk’s national data privacy practice. Marks supports Focal Point’s clients with his wide-ranging
data privacy laws and regulations experience. He has aided governmental organizations, multinational corporations and regional
enterprises in operational compliance efforts to meet the data privacy requirements of laws such as the EU General Data
Protection Regulation and the US State of California’s Consumer Privacy Act. Prior to joining Focal Point, Marks was a civil
litigation attorney and practiced for nearly 10 years defending corporations in state and federal court litigation. He is also a
recognized industry thought leader and provides guidance to other legal professionals on data privacy and security issues through
his involvement with nonprofit bar associations.

© 2020 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 2 1

 For instance, the Asia-Pacific Economic • Effectively communicate privacy requirements
Cooperation (APEC) created the APEC Privacy
• Establish processes for monitoring and
Framework, a principles-based framework for the
maintaining compliance
21 member countries of APEC’s regional economic
forum, to encourage the development of

“
appropriate privacy protections in the Asia-Pacific THE CONTROLS NEED TO
region.3 The APEC Privacy Framework serves as a
basis for the APEC Cross-Border Privacy Rules MEET THE OBJECTIVES OF
System, which establishes an accountability THE ORGANIZATION, BUT
mechanism for organizations to certify their data
privacy practices.4 THEY ALSO NEED TO BE
REALISTIC, RECOGNIZING
In addition, the US National Institute of Standards
and Technology (NIST) and the International THE CAPABILITIES OF THE
Organization for Standardization (ISO)/International TEAM AND AVAILABLE

”
Electrotechnical Commission (IEC), whose
respective cybersecurity frameworks are used by RESOURCES.
many organizations, both developed new privacy
frameworks/standards. The NIST Privacy
Framework was released on 16 January 2020.5 Defining the Right Privacy
Additionally, the ISO/IEC 27701 standard, published Control Environment
in 2019, builds on the privacy framework described Per the COSO framework, the control environment is
in ISO 29100, mapping specific privacy-related the set of standards, processes and structures that
controls to the framework.6 Both have already been provides the basis for carrying out internal control
utilized by organizations seeking a solid foundation across the organization. Designing the right control
for their privacy program. environment for an organization is a balancing act.
The controls need to meet the objectives of the
The widely used COSO framework describes five key organization, but they also need to be realistic,
components of internal control that must exist to recognizing the capabilities of the team and available
achieve an entity’s mission: a control environment, resources. While each control environment is unique,
risk assessments, control activities, information and COSO establishes five guiding principles:
communication, and monitoring activities.7 Further,
the COSO framework defines 17 principles aligned 1. Demonstrating commitment to integrity and
with these five key components (figure 1). To align ethical values
with COSO, a privacy framework should: 2. Exercising oversight responsibility
• Define a privacy control environment 3. Establishing structure, authority and responsibility
• Establish a risk assessment for privacy 4. Demonstrating commitment to competence
• Document applicable privacy control activities 5. Enforcing accountability

Figure 1—Aligning a Privacy Framework With COSO

COSO Components Aligning Privacy With COSO

Control environment Defining the right privacy control environment

Risk assessment Privacy Framework Reinventing the risk assessment for privacy
(ISO, NIST)
Control activities Documenting applicable privacy control activities

Information and communication Effective communication of privacy requirements

Monitoring activities Keeping up with compliance of privacy program

2 ISACA JOURNAL VOL 2 © 2020 ISACA. All rights reserved. www.isaca.org

A privacy program may meet these principles by privacy team also need to be evaluated. Marketing,
ensuring board involvement, authority and IT operations and HR need to protect the data in
responsibility, and an appropriate team. their care as well. An adequate training program
must exist and should include different courses for
Board Involvement different responsibilities, such as training for users
First, the organization must demonstrate a who need to action privacy (e.g., software
commitment to integrity and ethical value and involve development, HR, marketing personnel), and
the BoD. As with all significant enterprise risk, the broader awareness of the privacy program and
board has ultimate accountability for the strategies in privacy requirements for larger audiences.
place to protect the organization. As such, the board

“
should have regular conversations with the privacy
officer or person responsible for maintaining the THE TEAM RESPONSIBLE
privacy program. FOR MAINTAINING PRIVACY
The Establishment of Authority and Responsibility OPERATIONS MUST HAVE
The organization must establish, with board THE SKILLS AND
oversight, a formal charter for the privacy program.
This charter can: CAPABILITIES OUTLINED IN

”
• Define the privacy team and a privacy committee, THE PRIVACY CHARTER.
if applicable

• Define roles and responsibilities for oversight and Reinventing the Risk Assessment
alignment with strategy and objectives for Privacy
• Set the tone for the introduction, design or Risk assessment is a “dynamic and iterative process
enhancement of privacy controls and privacy for identifying and assessing risks to the achievement
compliance management of objectives”8 across the organization. Those risk
factors are considered relative to established risk
• Identify the responsibilities and the relationship of tolerances. Therefore, a risk assessment is the basis
the chief information security officer (CISO) and for determination of how to manage risk across the
security functions with the privacy function organization. COSO identifies four principles
• Provide the process for the review and approval of supporting this component:9
privacy-related policies and procedures 1. Specifying suitable objectives

Those establishing this charter should also involve 2. Identifying and analyzing risk
human resources (HR) to build a strong sanction 3. Assessing fraud risk
program related to privacy concerns and issues.
Embedding privacy throughout the organization is a 4. Identifying and analyzing significant change
key component. For instance, privacy concerns can
be addressed by taking privacy into account when Performing a risk assessment that addresses
creating any engineering process (i.e., privacy by privacy concerns and aligns with the COSO
design) and by appointing privacy liaisons across framework requires the development of a
the organization. methodology applicable to the environment and the
unique challenges of privacy risk.
Building and Maintaining a Team
The team responsible for maintaining privacy According to NIST, while managing cybersecurity risk
operations must have the skills and capabilities is necessary to address privacy risk, it is not
outlined in the privacy charter. This list of skills will sufficient, as privacy risk may arise beyond the scope
likely be long and will probably have to evolve as of cybersecurity concerns.10 For instance, while
technology advances. Competencies outside the cybersecurity risk factors are associated with the loss
of confidentiality, integrity and availability of

© 2020 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 2 3

 “
3. Reputational costs such as brand damage, loss
BY PERFORMING AN INFORMATION of customer trust, etc.
MAPPING EXERCISE THAT IDENTIFIES THE 4. Internal culture costs such as impact
LIFE CYCLE OF PII THROUGHOUT THE on capabilities

ORGANIZATION…PRIVACY LEADERS CAN It may also be helpful to add consumer impact as a

BETTER INFORM MANAGEMENT OF THE fifth factor that considers the level of potential

”
financial loss consumers would experience.
PRIVACY RISK RELATED TO THAT PII.
Similarly, NIST defines some factors organizations
information, privacy risk factors are associated with may use to assess the likelihood of risk factors
the unintended consequences of data processing. such as customer demographics and information
In other words, a privacy risk is the “likelihood that available about privacy problems in similar
individuals will experience problems resulting from scenarios.14 However, every organization may
data processing, and the impact should they occur.”11 consider figure 2 in making this assessment.
NIST further defines privacy risk in the NIST Internal
Report (IR) 8062, “An Introduction to Privacy All these risk factors should be carefully considered
Engineering and Risk Management in Federal and clearly communicated to executive leadership
Systems,”12 Section 3.2, and the Privacy Risk and the board so they can determine easily if
Assessment Methodology (PRAM), which was their privacy risk aligns with the risk appetite of
created as an application of the NIST IR 8062 risk the organization.
model to help organizations analyze, assess and
prioritize privacy risk. It identifies the following four Documenting Applicable Control Activities
impact factors of privacy risk:13
The COSO framework describes control activities as
1. Noncompliance costs such as regulatory fines, the “actions established through policies and
litigation costs, etc. procedures that help ensure that management’s
2. Direct business costs such as revenue directives to mitigate risks to the achievement of
or performance loss from customer objectives are carried out.”15 Control activities are
abandonment or avoidance performed at “all levels of the entity, at various stages

Figure 2—Likelihood Risk Factors

Business Regulatory Regulatory

Profile Change Environment

• Number of records processed • Complexity of requirements • Emerging area of focus

• Number of new/revised • Changes in last 24 months • Government examinations
processing methods • Availability of guides relating to • Litigation and enforcement
• Outsourcing non-substantive requirements activities
• Sophisticated environment • Consumer advocacy groups,
legislators and media

4 ISACA JOURNAL VOL 2 © 2020 ISACA. All rights reserved. www.isaca.org

within business processes, and over the technology purposes of its use, where it is retained and how it
environment.”16 Three principles should be present to is shared, privacy leaders can better inform Enjoying
meet this COSO framework component:17 management of the privacy risk related to that PII.
this article?
1. Selecting and developing control activities
In addition, organizations must evaluate their mix of
• Read
2. Selecting and developing general controls control activities, such as system access, system
Implementing the
over technology configuration, review controls and authorization,
General Data
while considering several attributes for each
3. Deploying through policies and procedures Protection
control, such as:21, 22
Regulation.
Selecting and developing applicable control • The category of the control (e.g., key performance https://next.isaca.
activities should be connected to the risk indicator [KPI]/key risk indicator [KRI], org/bookstore/
assessment, identifying control activities for key or third-party oversight) cobit-5/wgdpr
critical personally identifiable information (PII). • Learn more
• Whether the control is preventive or detective
Because all PII is in scope, prioritization is very about, discuss
important. Control activities should be feasible to • Whether the control is a system/automated and collaborate
accomplish with the assigned resources. control or a manual control on information
and cybersecurity
• Whether the control is maintained internally or
Performing privacy impact assessments (PIAs), in ISACA’s Online
externally by a third party
which include the evaluation and identification of Forums.
privacy risk associated with an organizational • The frequency of the control execution https://engage.
process, may help identify control activities across isaca.org/
the organization.18, 19 Additionally, the Control-P All controls should be rated, and the first rating may onlineforums
Function of the NIST Privacy Framework Core be based on the strength of these attributes. For
suggests minimum control activities in an effective example, an automated control may be more
control environment, such as procedures for effective than a manual control, and a preventive
authorizing data processing.20 Different functions control may be more effective than a detective
and skill sets are necessary to design, maintain and control. Control activities must also be deployed
test the different privacy controls (figure 3). through policies and procedures, which should be
implemented to support management’s directives.
By performing an information mapping exercise They should establish responsibility and
that identifies the life cycle of PII throughout the accountability for the execution of privacy controls.
organization, including how it is processed, the

Figure 3—Business Functions That Help Support Privacy

Legal IT and Security Executive Leadership

Help properly interpret laws and Strong understanding of IT and Understanding of business
regulations based on the technology to grasp how PII processes and the big picture.
organization's business profile. flows through the systems and
processes.

© 2020 ISACA. All rights reserved. www.isaca.org

© 2020 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 2 5

 To illustrate with an example, many privacy control. Certainly, quality data to inform control
regulations such as GDPR,23 Brazil’s LGPD24 and the activities is necessary to effectively execute internal
CCPA25 provide individuals certain rights, such as control responsibilities. Additionally,
access to their own data/PII possessed by an communication within and outside the organization
organization. These rights must be granted upon a through a continuous and iterative process of
proper request made by the individual. To comply sharing information is just as critical to internal
with requests, individual rights fulfillment processes control.26 Communication within the organization
must be in place to address, for instance, requests may include the dissemination of the objectives
by the individual to access or delete PII handled by and responsibilities for internal control.
the organization. Inevitably, policies, procedures and Communication outside the organization may
practices must be established regarding this establish or meet the requirements and
requirement. An organization with a less complex expectations of external parties. COSO defines
PII landscape may be capable of fully automating three principles related to this component:27
the fulfillment process, thereby establishing an
1. Obtaining and using relevant and
automated control over the fulfillment. Other
quality information
organizations may use manual controls, established
through detailed procedures and tracking of 2. Communicating internally
fulfillment. Those organizations might include an
3. Communicating externally
oversight control function to review fulfillment
prior to completion.
Every stakeholder involved in managing privacy risk

“
must consider the quality and effectiveness of
AS A PREVENTIVE communications. The board and executive leadership
set the tone and must build a culture that prioritizes
CONTROL, ALL clear and direct communication about privacy risk
ORGANIZATIONS SHOULD and obligations. In addition, communication with
external parties, including regulatory organizations,
INCLUDE PRIVACY TRAINING should be clear and consistent. For instance, the
FOR EMPLOYEES WHO Communicate-P function defined in the NIST Privacy
Framework recommends developing and
HANDLE PII SO THEY CAN implementing “appropriate activities to provide
RECOGNIZE THE RIGHTS organizations and individuals with a reliable
understanding about how data is processed and the
THAT APPLY AND DIRECT associated privacy risks.”28 As the NIST Privacy
DATA SUBJECTS TO THE Framework describes, this might include establishing
formal policies and training to ensure that impacted
APPROPRIATE CHANNELS individuals and organizations are notified in the event

”
FOR REQUESTS. of a privacy breach. It may also include developing
transparent policies to communicate data processing
purposes and implementing mechanisms for
In addition, compliance is not just a legal, compliance
obtaining feedback from individuals about data
or privacy team function. As a preventive control, all
processing risk.
organizations should include privacy training for
employees who handle PII so they can recognize the
rights that apply and direct data subjects to the
Managing the Compliance of the
appropriate channels for requests. Privacy Program
The “monitoring activities” component of the COSO
Meeting Effective Communication framework suggests establishing evaluations to
Requirements for Privacy ensure that each of the COSO framework
components and principles are present and
The COSO framework identifies “information and
functioning.29 Business processes may contain
communication” as a core component of internal

6 ISACA JOURNAL VOL 2 © 2020 ISACA. All rights reserved. www.isaca.org

“
factors such as the organization’s business
EVERY STAKEHOLDER environment, legal obligations, risk tolerance and
data processing functions.32 An organization
INVOLVED IN MANAGING seeking to align its privacy program with the COSO
PRIVACY RISK MUST framework may incorporate these elements in its
control environment to ensure ongoing compliance.
CONSIDER THE QUALITY
AND EFFECTIVENESS OF Three Control Objectives

”
COMMUNICATIONS. Within COSO, there are three central control
objectives focused on operations, reporting and
ongoing evaluations at all levels in the organization, compliance. These three control objectives may be
ensuring consistent application of the framework. applied to privacy controls (figure 4).
Moreover, periodic evaluations may be conducted
with varying scope and frequency, depending on the Operations
organization’s risk profile, to focus on specific The COSO framework defines operational objectives
concerns or other management considerations. of internal control as pertaining to the effectiveness
Findings may be evaluated against standard-setting and efficiency of the entity’s operations. These may
bodies or regulations, while deficiencies should be include operational and financial performance goals
communicated to organization leadership.30 The and safeguarding assets against loss.33 When it
two COSO principles related to this component comes to managing privacy control operation
include conducting ongoing evaluations and objectives, an organization may consider both the
evaluating and communicating deficiencies. type of PII and its use within the operations of the
organization. PII may be involved in marketing
Ongoing monitoring (the second line of defense) processes, employment processes, consumer
and independent evaluations (the third line of product fulfillment processes and many others
defense) should be considered in the development throughout the organization. The applicable privacy
and maintenance of any privacy program to controls that align with business operations in those
evaluate its effectiveness and communicate its varied areas may differ. However, the central objective
deficiencies. For instance, the NIST Privacy of maintaining the privacy of PII throughout the
Framework Core describes, within the Monitoring organization’s operations is overarching. Thus, the
and Review category of the Govern-P function, an operations objective informs the selected controls.
ongoing review of the organization’s privacy posture
to inform management of privacy risk.31 Reporting
Subcategory GV.MT-P1 describes the reevaluation COSO reporting objectives typically pertain to internal
of privacy risk on an ongoing basis, including key and external financial and nonfinancial reporting,

Figure 4—Examples of Privacy Control Objectives

Operations Reporting Compliance

Examples Examples Examples

Type of PII Breaches GDPR

The whole organization Effectiveness of program CCPA
Privileged access Third-party risk management HIPAA
Board reporting Gramm-Leach-Bliley Act (GLBA)
Privacy KRIs State breach notification laws
Regulatory reporting

© 2020 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 2 7

 which may encompass reliability, timeliness, concepts such as privacy notices or individual rights
transparency or other terms set forth by regulators.34 to PII are common to most new privacy regulations.
In the world of privacy compliance, the type, Identifying these universal concepts and utilizing
transparency and timing of reporting are critical. privacy frameworks to implement them aids in the
When establishing reporting processes, determining development of a control environment that is
who relies on each report type (e.g., breach compliant, and effectively manages privacy risk.
notifications, privacy KRIs) and tailoring the reports to
that audience are good starting points. The following Figure 5—Compliance Concerns
types of reports are critical to the success of many Addressed by a Framework
privacy programs: incidents/breaches, data subject
rights fulfillment, third-party risk management metrics
State and
and privacy-related KRIs.
International
Requirements
To remain compliant with a number of privacy
regulations, the timing of these reports is a critical Online Breach
factor. For example, GDPR requires that organizations Privacy Notification
provide notice of a breach in 72 hours.35 In addition,
regular internal reporting to executives and boards on Privacy
the effectiveness of the privacy program is key to Framework
maintaining investments in privacy and ensuring that
the right resources are in place to reduce privacy risk. Financial Workplace

“
Privacy Privacy
WHEN IMPLEMENTING A
Medical
PRIVACY FRAMEWORK, IT IS Privacy
IMPORTANT TO CONSIDER
HOW IT ALIGNS WITH ALL
APPLICABLE LAWS AND Hierarchical Application
REGULATIONS AND For a privacy framework to align with COSO, it must
apply to the whole organization—from entity-level
WHETHER IT IS FLEXIBLE controls that set the tone at the top of the
ENOUGH TO ACCOMMODATE organization to controls specific to certain business
functions. For example, NIST Framework Core
FUTURE REGULATORY

”
subcategory GV.PO-P1 states, “Organizational
REQUIREMENTS. privacy values and policies … are established and
communicated.”37 This would likely be defined as
Compliance an entity-level control. In comparison, while the
Compliance objectives pertain to an organization’s basis of subcategory CT.DP-P2, “Data are
adherence to laws and regulations.36 When processed to limit the identification of individuals
implementing a privacy framework, it is important to (e.g., de-identification privacy techniques,
consider how it aligns with all applicable laws and tokenization),” might apply across the organization,
regulations and whether it is flexible enough to execution procedures would need to be tailored to
accommodate future regulatory requirements each business function.38 Mapping a framework
(figure 5). Although requirements vary by regulation, across an organization is not an easy step. It
strong privacy controls applied consistently across an requires the organization to determine which
organization help decrease the effort needed to meet controls should be applied at the entity level
new requirements. Many fundamental privacy and which should be tailored to specific
business processes.

8 ISACA JOURNAL VOL 2 © 2020 ISACA. All rights reserved. www.isaca.org

“
2 British Standards Institution, British Standard
WITHOUT A PRIVACY 10012, Personal Information Management,
2017, https://www.bsigroup.com/en-GB/
FRAMEWORK IN PLACE, IT IS BS-10012-Personal-information-management/
NEARLY IMPOSSIBLE FOR AN Introduction-to-BS-10012/
3 Asia-Pacific Economic Cooperation, APEC
ORGANIZATION TO KEEP Privacy Framework (2015), August 2017,
PACE WITH CHANGING https://www.apec.org/Publications/2017/08/
APEC-Privacy-Framework-(2015)
DATA PROTECTION

”
4 Cross Border Privacy Rules System, “Policies,
REGULATIONS. Rules and Guidelines,” http://cbprs.org/documents/
5 National Institute of Standards and Technology,
The Benefits of Aligning Privacy With COSO “NIST Privacy Framework: A Tool for Improving
Privacy Through Enterprise Risk Management,”
Without a privacy framework in place, it is nearly USA, 16 January 2020, https://www.nist.gov/
impossible for an organization to keep pace with privacy-framework/privacy-framework
changing data protection regulations, putting the 6 International Organization for Standardization
organization at great risk. Using a framework that (ISO)/International Electrotechnical
aligns with a widely adopted standard such as Commission (IEC), Security Techniques—
COSO provides a number of benefits: Extension to ISO/IEC 27001 and ISO/IEC 27002
• Streamlined efforts—Aligning privacy controls for Privacy Information Management—
with COSO greatly reduces the burden on audit, Requirements and Guidelines, August 2019,
operations and implementation teams, requiring https://www.iso.org/standard/71670.html
fewer audits and streamlining remediation efforts 7 Op cit Committee of Sponsoring Organizations
of the Treadway Commission
• Cost and time savings—Addressing privacy 8 Ibid.
compliance ad hoc is a costly experiment. By using 9 Ibid.
a framework, organizations can apply privacy 10 Op cit National Institute of Standards
controls across regulations, minimizing the number and Technology
of resources needed to manage compliance, 11 Ibid.
reducing compliance costs and saving significant 12 Brooks, S.; M. Garcia; N. Lefkovitz; S. Lightman;
time. In addition, a framework helps reduce the risk E. Nadeau; “An Introduction to Privacy
of fines and penalties for noncompliance through a Engineering and Risk Management in Federal
common structure and standardization. Systems,” National Institute of Standards and
• Sustainable compliance—Implementing a privacy Technology (NIST) Internal Report (IR) 8062,
framework makes it possible for the organization USA, January 2017, https://nvlpubs.nist.gov/
to scale its privacy program with organizational nistpubs/ir/2017/NIST.IR.8062.pdf
change, new technologies and shifting 13 National Institute of Standards and Technology,
regulations. “Risk Assessment Tools,” USA, 28 October
2018, https://www.nist.gov/itl/applied-
While choosing and customizing a framework does cybersecurity/privacy-engineering/collaboration-
require a good amount of effort up front, when space/browse/risk-assessment-tools
implemented properly, it can save an organization 14 Op cit National Institute of Standards and
time, resources and budget for years to come. Technology, January 2020
15 Op cit Committee of Sponsoring Organizations
of the Treadway Commission
Endnotes
16 Ibid.
17 Ibid.
1 Committee of Sponsoring Organizations of the
18 Op cit National Institute of Standards and
Treadway Commission, Internal Control—
Technology, January 2020
Integrated Framework, Executive Summary,
19 Op cit National Institute of Standards and
2013, https://www.coso.org/Pages/ic.aspx
Technology, October 2018

© 2020 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 2 9

 20 Op cit National Institute of Standards and 26 Op cit Committee of Sponsoring Organizations
Technology, January 2020 of the Treadway Commission
21 Ibid. 27 Ibid.
22 Op cit Committee of Sponsoring Organizations 28 Op cit National Institute of Standards and
of the Treadway Commission Technology, January 2020
23 European Parliament, “Regulation (EU) 29 Op cit Committee of Sponsoring Organizations
2016/679 of the European Parliament and the of the Treadway Commission
Council of 27 April 2016 on the Protection of 30 Ibid.
Natural Persons With Regard to the Processing 31 Op cit National Institute of Standards and
of Personal Data and on the Free Movement of Technology, January 2020
Such Data, and Repealing Directive 95/46/EC 32 Ibid.
(General Data Protection Regulation),” 2016 33 Op cit Committee of Sponsoring Organizations
24 Lei No. 13.709, de 14 de Agosto de 2018, DIÁRIO of the Treadway Commission
OFICIAL DA UNIÃO [D.O.U.] de 15.8.2018 (Braz.). 34 Ibid.
Lei Geral de Proteção de Dados Pessoais, Art. 18, 35 Op cit European Parliament
http://www.planalto.gov.br/ccivil_03/_ato2015- 36 Op cit Committee of Sponsoring Organizations
2018/2018/lei/L13709.htm (Unofficial English of the Treadway Commission
translation available at: https://iapp.org/ 37 Op cit National Institute of Standards and
resources/article/brazils-general-data-protection- Technology, January 2020
law-english-translation/) 38 Ibid.
25 California Consumer Privacy Act, California Civil
Code § 1798.100-125, USA, 2018

10 ISACA JOURNAL VOL 2 © 2020 ISACA. All rights reserved. www.isaca.org