Privacy Control Framework NOREA
On 1 May 2018, the Privacy Control Framework (PCF) was published. This guide issued by NOREA, the professional association of IT auditors in the Netherlands, has been developed for Dutch chartered IT auditors (Register IT auditors, RE’s) to guide them to issue privacy control reports under the EU General Data Protection Regulation (GDPR) and the International Standards on Assurance Engagements (ISAE). This PCF provides the suitable criteria.
PCF as a starting point
The PCF’s privacy objective is to provide guidance to (audit) professionals in assessing whether an entity’s control objectives regarding privacy and personal data protection are achieved. As such, the PCF can be used as the starting point for tailored privacy audits. The PCF contains the prescribed control objectives and illustrative controls for privacy assurance assignments based on the Assurance 3000 standard (‘NOREA Richtlijn 3000’). In addition, the PCF can be deployed by an entity to assess the adequacy of privacy controls or to determine the gaps between the current state of privacy control and their ambitions in the light of (changing) legislative frameworks (e.g. the GDPR).
By and for audit experts
In our opinion, the main importance of this new framework is the fact that it has been developed and elaborated by experts, not only on a legal level but also with a practical approach. The PCF was set up by and for audit experts under the NOREA flag, who also recommends the framework itself as the starting point for its members.
Privacy Control Framework in practice
Of course, Secura also uses the Privacy Control Framework as a starting point when conducting privacy audits for our customers. Our RE’s are actively involved in the development of standards, guidelines, and frameworks of the NOREA. In addition, R.G.S. (Ruud) Kerssens RE RA CISA CRISC, Manager Service Line Advisory & Audit at Secura, is member of NOREA’s Professional Practices Committee (“Vaktechnische Commissie”) and the knowledge group on Privacy (“Kennisgroep Privacy”). This knowledge group develops products and issues publications for supporting audit and/or advisory assignments related to the protection and security of personal data, including a Data Protection Impact Assessment (DPIA) and the PCF.
Ruud is for the Professional Practices Committee connected as a linking pin in the knowledge group. He has a lot of experience with performing IT audits and advisory assignments dealing with the correct and pragmatic application of the GDPR, or in The Netherlands the AVG with some additions for the GDPR rules. If applicable and relevant the Advisory and Audit team of Secura combines other standards with privacy rules such as the NEN 7510 as well.