The views of privacy auditors regarding standards and methodologies

Alan Toy, David Lau, David Hay, Gehan Gunasekara

Research output: Contribution to journalArticle

Abstract

Purpose: This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders. Design/methodology/approach: Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis. Findings: The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties. Originality/value: Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.

Original languageEnglish
JournalMeditari Accountancy Research
DOIs
Publication statusPublished - 2019 Jan 1

Fingerprint

Privacy
Methodology
Auditors
Auditing
Audit
Best practice
Toys
Design methodology
Criticism
Analysts
Privacy rights
Cross-border
Information privacy
Staff
Canada
Academic research
Stakeholders
Structured interview
Organizational issues
New Zealand

Keywords

  • Auditing
  • Privacy
  • Privacy auditing

ASJC Scopus subject areas

  • Accounting

Cite this

The views of privacy auditors regarding standards and methodologies. / Toy, Alan; Lau, David; Hay, David; Gunasekara, Gehan.

In: Meditari Accountancy Research, 01.01.2019.

Research output: Contribution to journalArticle

@article{b752c697464b4adc965701785dab2f25,
title = "The views of privacy auditors regarding standards and methodologies",
abstract = "Purpose: This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders. Design/methodology/approach: Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis. Findings: The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties. Originality/value: Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.",
keywords = "Auditing, Privacy, Privacy auditing",
author = "Alan Toy and David Lau and David Hay and Gehan Gunasekara",
year = "2019",
month = "1",
day = "1",
doi = "10.1108/MEDAR-07-2018-0367",
language = "English",
journal = "Meditari Accountancy Research",
issn = "2049-372X",
publisher = "Emerald Group Publishing Ltd.",

}

TY - JOUR

T1 - The views of privacy auditors regarding standards and methodologies

AU - Toy, Alan

AU - Lau, David

AU - Hay, David

AU - Gunasekara, Gehan

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Purpose: This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders. Design/methodology/approach: Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis. Findings: The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties. Originality/value: Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.

AB - Purpose: This paper aims to uncover the practices of different privacy auditors to reveal the extent of any similarities in such practices. The purpose is to investigate the drivers of practices used by privacy auditors and to identify potential for improvements in the practice of privacy auditing so that privacy audits may better serve stakeholders. Design/methodology/approach: Six semi-structured interviews with seven privacy auditors and regulators and an analyst across Australia, Canada, New Zealand and the USA are used as the basis for our analysis. Findings: The study shows that some privacy auditors view privacy as an organizational issue, which means that all staff within an organization should understand the privacy issues that are relevant to the organization and to its customers. Because this practice goes beyond a mere compliance approach to privacy auditing, it indicates that there is a way to avoid the approach of merely applying standards from national data privacy laws which is an approach that has been subject to criticism because it is not applicable to the current situation of global applications and cross-border data. The interview themes demonstrate that privacy audits face significant challenges, such as the lack of a privacy auditing profession and the difficulty of raising the awareness of organizations and individuals regarding information privacy rights and duties. Originality/value: Privacy auditing is mostly unexplored by academic research and little is known about the drivers behind the practice of privacy auditing. This study is the first to document the views of privacy auditors regarding the practices that they use. It also presents novel results regarding the drivers of the practice of privacy auditing and the interests of the beneficiaries of privacy audits. It builds on research that argues for the existence of best practices for privacy (Toy, 2013; Toy and Hay, 2015) and it extends this argument by providing reasons why privacy auditors may benefit from the use of best practices for privacy.

KW - Auditing

KW - Privacy

KW - Privacy auditing

UR - http://www.scopus.com/inward/record.url?scp=85065019720&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85065019720&partnerID=8YFLogxK

U2 - 10.1108/MEDAR-07-2018-0367

DO - 10.1108/MEDAR-07-2018-0367

M3 - Article

AN - SCOPUS:85065019720

JO - Meditari Accountancy Research

JF - Meditari Accountancy Research

SN - 2049-372X

ER -