Interested in this topic? Visit the links below for more resources:
Visit The IIA's website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:07 The IIA
Charles King sits down with Gavin Ambaraj from Meta to explore how privacy intersects with internal auditing.
00:00:15 The IIA
They discuss why auditors should care about privacy, key data risks, and global regulations, and they provide practical steps for auditing privacy programs.
00:00:27 The IIA
From core privacy principles like transparency, consent, and data minimization, to lessons learned in cross-functional collaboration, this episode provides auditors with a roadmap for tackling privacy audits in an AI-driven world.
00:00:44 Charles King
I'm really excited to have this discussion today.
00:00:47 Charles King
You know, we've been working together for, I guess, coming up on five years now.
00:00:52 Charles King
in different capacities and privacy, especially at Meta, but I think privacy in general is just such a fascinating topic and it's getting so much more attention even more in the age of AI.
00:01:07 Charles King
So while Meta may have somewhat unique privacy concerns relative to other companies, I think privacy is something that really impacts every organization in the world.
00:01:18 Charles King
And as auditors, we really need to be focused on
00:01:22 Charles King
understanding how our organizations are dealing with personal data.
00:01:27 Charles King
But I wonder, just from your perspective and being a leader in privacy and in internal audit, why do you think internal auditors should care about privacy?
00:01:38 Charles King
Why should this be a focus on our risk assessments and internal audit plans?
00:01:43 Charles King
A.
00:01:44 Kavin Anburaj
Lot of people think that privacy risks are very regulatory and very legal based, but the truth is privacy is
00:01:52 Kavin Anburaj
almost anonymous with data risks.
00:01:54 Kavin Anburaj
So you need to understand what data your organization is correcting, what sector you belong to, and start with that for you to then figure out how to start doing a privacy audit.
00:02:10 Charles King
So this idea of what data impacts privacy.
00:02:15 Charles King
So help us think through that.
00:02:17 Charles King
I think there's things that would be obvious to anyone around maybe customer data or employee data.
00:02:23 Charles King
But can you help me think through what should I be looking for or thinking about when I consider what data has privacy implications?
00:02:34 Kavin Anburaj
Most people would start off with like a checklist, but laws, regulations, and even customer expectations for organizations are evolving by the day.
00:02:45 Kavin Anburaj
And so if you had to start thinking about what data actually matters,
00:02:50 Kavin Anburaj
Again, depending on your business, it could be customer data.
00:02:54 Kavin Anburaj
If you are making up examples here, but like if you're in the retail space, what customer data that you have, what user data or PII associated to the customers do you have is the number one place that I would look for.
00:03:06 Kavin Anburaj
Social media companies, we have what we call user data.
00:03:10 Kavin Anburaj
So information that users present within our platforms is another big bunch of data.
00:03:16 Kavin Anburaj
But for most other companies,
00:03:18 Kavin Anburaj
Even employee data can be subject to any kind of privacy laws and rules.
00:03:24 Kavin Anburaj
And so employee data is something that I would say everybody needs to look at.
00:03:28 Kavin Anburaj
Vendor data, so any third-party vendors that work with you within the company would also be subject to this.
00:03:37 Kavin Anburaj
And
00:03:38 Kavin Anburaj
anything which can be attributable to a human, a user, whether it is provided in a structured manner or it is provided in an unstructured manner.
00:03:48 Kavin Anburaj
And an example of that would be, let's say it's a customer complaint, an e-mail, a portal where you have an external party interacting with your organization in any way.
00:04:00 Kavin Anburaj
If that's a mechanism for you to collect details about a user in any form, then that would also be subject to a lot of these.
00:04:08 Kavin Anburaj
laws and regulations.
00:04:10 Kavin Anburaj
So that, I would say, anything that's attributable to a person would all be a part of user data.
00:04:17 Charles King
Right.
00:04:18 Charles King
So my name, my address, my gender, any of those might be protected data.
00:04:25 Charles King
But what we might not always think about is that when I send an e-mail to a customer service representative and I imply my address or my gender or some other
00:04:38 Charles King
personally identifiable characteristic, even though it's not in tabular data that sits in maybe a CRM system, that's still privacy data that tells something about me.
00:04:49 Charles King
And if that was, you know, some unauthorized party got access to it, that could trigger your privacy requirements under the law or under your privacy policy that you communicate to your customers about how you're going to deal with their data.
00:05:03 Charles King
That's really fascinating.
00:05:05 Charles King
Maybe let's think a little bit about what some of those obligations are.
00:05:09 Charles King
Obviously, Meta is a bit of a special case, but there are privacy laws all around the world that apply to everyone, not just social media companies.
00:05:18 Charles King
So what are some of the big ones that we should be thinking about for organizations that are in countries that have these privacy laws?
00:05:27 Kavin Anburaj
Even though there are evolving laws across the globe, the one thing that is very
00:05:34 Kavin Anburaj
evident is all of these laws are based off of basic privacy principles.
00:05:39 Kavin Anburaj
Each country may interpret it differently.
00:05:41 Kavin Anburaj
Each country may have their own special requirements or special sauce that they add to it.
00:05:45 Kavin Anburaj
But at the end of the day, they are all baked off of basic privacy principles.
00:05:50 Kavin Anburaj
I'm going to state a few of them with some examples, but not everything is going to apply for every single organization out there.
00:05:58 Kavin Anburaj
But here's my take on it.
00:06:00 Kavin Anburaj
I think it all starts with transparency and consent.
00:06:03 Kavin Anburaj
Every organization needs to make it extremely clear and transparent to the users what data is going to be collected about them and what they are going to be doing with that data.
00:06:14 Kavin Anburaj
It's that disclosure that I would say is one of the key things that need to happen.
00:06:19 Kavin Anburaj
The second thing is consent.
00:06:21 Kavin Anburaj
And consent here could be the terms of service that a user agrees to, the checkmark that we put in every time we download an app.
00:06:28 Kavin Anburaj
That could be considered consent, or in some countries, like I said, some countries add their special sauce.
00:06:33 Kavin Anburaj
One of it is they would say, I need explicit consent.
00:06:37 Kavin Anburaj
So someone needs to go in and say, I authorize this data to be used for this particular purpose.
00:06:42 Kavin Anburaj
So that could be explicit consent.
00:06:44 Kavin Anburaj
So transparency and consent are one of the key principles of anything related to privacy that a lot of laws base
00:06:51 Kavin Anburaj
they are regulations off of.
00:06:53 Kavin Anburaj
The second one is purpose limitation, which is a very hard area to audit, to be honest, but that's another key principle that we need to keep in mind is, this data that I'm collecting about the user, am I only going to be using it for the purpose that I am ultimately stating it to be used for?
00:07:12 Kavin Anburaj
And if I had to come up with an example for this, would be where, let's say I'm on an Uber ride and
00:07:20 Kavin Anburaj
Uber has my location data because I've allowed them to have my location data, and then I reach my destination and I'm getting ads for that particular location, that might not be something that Uber could have stated to me explicitly and said, I'm using your location for safety purposes, but then if ads are going to be served and I didn't consent to it in the 1st place, and that wasn't disclosed to me in the 1st place, then that could be construed an error or a mistake on their end.
00:07:48 Kavin Anburaj
So that would be an example of what purpose limitation would be.
00:07:51 Charles King
So this could, outside of the media or technology context, if I were, say, a store, a retailer, and I have information about my customers that maybe I get through the point of sale or through my loyalty program,
00:08:10 Charles King
I can't then come up with a novel idea for how to use their data, maybe to target them with ads through the e-mail address that I have on file or other things, unless I've told them in advance that I'm going to use their data for that purpose.
00:08:27 Charles King
Is that the idea?
00:08:28 Charles King
Okay.
00:08:29 Kavin Anburaj
Exactly.
00:08:30 Kavin Anburaj
That is what purpose limitation is.
00:08:33 Kavin Anburaj
Data minimization is another privacy principle.
00:08:37 Kavin Anburaj
I'm starting to see like a lot of organizations
00:08:40 Kavin Anburaj
also get into that principle, it is collecting only the data that is truly required for you to do your business.
00:08:46 Kavin Anburaj
Just personally, every time I wear to orders, like a shirt off of a website, the size, the address, all of that makes sense.
00:08:54 Kavin Anburaj
And then given my age, sometimes when I have to put in what my date of birth is, I'm like, I understand the month and the date, but why do you need to know which year I was born in?
00:09:03 Kavin Anburaj
Because it automatically buckets me into a certain age group, right?
00:09:07 Kavin Anburaj
And yes, personally, it affects me too.
00:09:10 Kavin Anburaj
And that is why I think I get offended by it.
00:09:12 Kavin Anburaj
But jokes aside,
00:09:14 Kavin Anburaj
Data minimization is something that you need to keep in mind.
00:09:16 Kavin Anburaj
Am I only collecting the data that is required for me to perform this service for this individual?
00:09:21 Kavin Anburaj
Another interesting area which it may apply to a lot of industries and may not is the storage limitations and retention limitations.
00:09:31 Kavin Anburaj
This is where we need to make sure the data is there with that organization only for the amount of time that it's required.
00:09:37 Kavin Anburaj
So orders,
00:09:39 Kavin Anburaj
that I might have placed 10 years ago, the company needs to have policies, internal policies, which state that all data needs to be purged on a regular basis.
00:09:48 Kavin Anburaj
And that is going to be organizational dependent.
00:09:50 Kavin Anburaj
However, in some instances, from a payments perspective, for fraud detection reasons, companies are going to be required to keep their data for much longer.
00:10:00 Kavin Anburaj
So depending on the rules of the country, all payments history needs to be maintained for five years or seven years or 10 years.
00:10:07 Kavin Anburaj
And those laws will override any internal policies that an organization may have.
00:10:12 Kavin Anburaj
So data limitations, data retention is another principle that a lot of these laws are based off of.
00:10:18 Kavin Anburaj
I know it's a lot, but those are some of the key areas that exist in addition to obviously naturally
00:10:24 Kavin Anburaj
data security requirements that we are going to have and good governance policies that every organization needs to have.
00:10:30 Charles King
Right.
00:10:30 Charles King
And additionally, some of the laws require that customers be able to ask the organization to delete their data, right?
00:10:39 Charles King
And that has all kinds of far-reaching implications because sometimes your data is in many different places and it can create, you know, all of these questions about data lineage and
00:10:50 Charles King
As the marketing team, maybe where my data is, but you got that data from the sales team or from somebody in supply chain.
00:10:59 Charles King
And so is it there too?
00:11:01 Charles King
And where are all of the different places we have to delete it if that is in fact an obligation that you have?
00:11:09 Kavin Anburaj
Yes, I think you hit on a very, very important point.
00:11:14 Kavin Anburaj
As I was mentioning earlier, a lot of people think privacy is very focused on what regulatory requirements are, but as I said, it's evolving where user rights are also high up on the reason as to why we need to have good privacy audits that occur.
00:11:32 Kavin Anburaj
From a user rights perspective, to your point,
00:11:36 Kavin Anburaj
At any given time, any data that we collect about a user is still actually the user's data, which means that they have right to access it, they have rights to delete it, they have the right to be forgotten effectively.
00:11:48 Kavin Anburaj
And so it's extremely important for any organization to understand at what point does the data come into the organization, which is obvious.
00:11:57 Kavin Anburaj
But then the second piece is where else is that data going to flow?
00:12:00 Kavin Anburaj
Where else am I saving that data so that I can have that traceability of data across the different systems?
00:12:08 Kavin Anburaj
And that is going to be required because if a user
00:12:11 Kavin Anburaj
where to come in and say, hey, can I have a list of all the points or all the data that you have about me?
00:12:17 Kavin Anburaj
Then we as an organization should be able to demonstrate that here is all the data that I have about you.
00:12:25 Kavin Anburaj
And knowing that traceability and knowing that lifecycle is the only way for us to be able to pull that list.
00:12:31 Kavin Anburaj
And in case the user decides to delete it, then we need to know all the points where it is sitting so that our systems can efficiently do that.
00:12:40 Kavin Anburaj
And if this were to happen at scale, forget Meta as an organization, but pretty much any company at all, it's important for us to know what those different points are so that the deletion can happen accurately.
00:12:53 Kavin Anburaj
We are representing the data to the user accurately.
00:12:56 Kavin Anburaj
And lastly, obviously having a lot of data also puts every organization at risk.
00:13:02 Kavin Anburaj
I think that is just pretty clear with breaches that have occurred.
00:13:06 Kavin Anburaj
across the industries.
00:13:08 Kavin Anburaj
And so knowing where your data resides has got more than one purpose, not just from a regulatory perspective, but helps us be transparent to the users.
00:13:16 Kavin Anburaj
And lastly, helps our organizations be safe.
00:13:20 Charles King
Right.
00:13:21 Charles King
And that's an area a lot of organizations struggle with, even though there have been
00:13:25 Charles King
major advances in tooling that can help with managing data lineage and understanding sort of data management and data governance in general, it's still really challenging.
00:13:36 Charles King
There are so many systems and so many different ways that organizations use data.
00:13:41 Charles King
It's often hard to find one reliable data lineage or data management solution that will tell you where all of your data is.
00:13:51 Charles King
So that poses challenges for auditors, but I'd like to talk a little bit about how we go about auditing privacy, but maybe before we do that, let's think about the different kinds of audits or audit objectives we might accomplish through privacy audits.
00:14:09 Charles King
Can you maybe think through what are some of the triggers for audits or the types of audits
00:14:15 Charles King
or focal points of the audits that you do to think through the different ways we might go about building an audit program.
00:14:25 Kavin Anburaj
Yeah, when we originally had to get started with building out the audit program, these were some of the questions that we had to ask ourselves as well.
00:14:35 Kavin Anburaj
As you must have probably understood by now, I'm an extremely data-driven person.
00:14:40 Kavin Anburaj
And so
00:14:42 Kavin Anburaj
They didn't naturally translate into the only type of audits that we've ever done.
00:14:45 Kavin Anburaj
But taking a step back, you always look at what sector your organization belongs to.
00:14:51 Kavin Anburaj
And understanding what sector they belong to will automatically give you an understanding as to what regulations apply to your industry.
00:14:59 Kavin Anburaj
So that will give you an entire scope of audits that you can perhaps do from a regulatory angle.
00:15:04 Kavin Anburaj
If your organization belongs to California, and if you want to do something related in the privacy space, then CCPA, CPRA laws will apply.
00:15:12 Kavin Anburaj
So understanding what your regulatory environment is and what your organization is going to be subject to is the first bucket of questions you need to answer and the first tranche of audit plan that you will start obtaining.
00:15:25 Kavin Anburaj
The second, if you move out of the legal and the regulatory space, is having a very operational lens to it or a compliance lens to it.
00:15:34 Kavin Anburaj
Chances are your internal audit is hopefully not the first party that's going to be looking at
00:15:41 Kavin Anburaj
what risks exist in the privacy space.
00:15:43 Kavin Anburaj
There should definitely be like risk assessments either performed by the legal teams, or if you have a compliance organization, information security organization, which could also be looking at privacy as a space.
00:15:54 Kavin Anburaj
So understanding what has either second line or the first line, depending on how you differentiated within every organization, what work has been done by them, and is that something that you can leverage?
00:16:06 Kavin Anburaj
And if it's mature enough, is that something that you can audit?
00:16:09 Kavin Anburaj
Is a whole
00:16:11 Kavin Anburaj
tranche of audits that you can think about from a privacy angle.
00:16:15 Kavin Anburaj
And then the third is internal auditors can jump straight into the business itself.
00:16:20 Kavin Anburaj
So the privacy principles that I alluded to earlier, you can literally pick one, two, or all of them and try and do an audit with your business partners directly.
00:16:31 Kavin Anburaj
So this could be starting with your sales or your marketing organizations to understand what disclosures or what do we state about our products.
00:16:39 Kavin Anburaj
And then checking back into the system
00:16:41 Kavin Anburaj
to say is everything that we are stating is that accurately being performed.
00:16:44 Kavin Anburaj
So you can look at it either at a regulatory lens, you look at it from an operational compliance, what has the organization done so far lens.
00:16:53 Kavin Anburaj
Or third, you focus on the business directly and try and see if any of the privacy principles can be applied and if it can be audited through the systems through and through.
00:17:04 Kavin Anburaj
So those are three different mechanisms that I would say an organization can think about it.
00:17:09 Kavin Anburaj
And maybe that's a part of your rotation plan.
00:17:11 Kavin Anburaj
Like you do regulatory one year, but you're more interested in how data actually flows.
00:17:16 Kavin Anburaj
And so you do the third type of audit.
00:17:20 Kavin Anburaj
So that is how I would suggest if you had to start off.
00:17:24 Charles King
Right, so a regulatory focused audit would be taking the requirements of, you mentioned CCPA or GDPR or any one of the many different state-specific privacy regulations that exist in the US, understand what your obligations are under that law, and then try to go audit against those regulations.
00:17:43 Charles King
That might be step number one, or at least an option.
00:17:47 Charles King
Another option is to look at
00:17:50 Charles King
second line functions like legal or maybe depending on how you're structured, maybe part of the CISO organization or if you have a chief privacy officer, and then how are they overseeing privacy?
00:18:03 Charles King
And it's almost like a governance audit.
00:18:05 Charles King
And then the third one, if I understood you correctly, is looking at the actual, call it the first line that is presumably collecting this data
00:18:16 Charles King
storing and using the data.
00:18:18 Charles King
And then, there are different ways that you might audit against that, but taking some of the privacy principles we talked about before and seeing about purpose limitation in the first line or how they're dealing with transparency in the first line and communicating to their customers how that data is being used and what their policies are around data.
00:18:41 Charles King
So you talked before about how you were
00:18:45 Charles King
a traditional auditor, I guess, and then got into the privacy space as a specialization.
00:18:51 Charles King
What did you learn in the beginning that would help people that are just, that are new to auditing privacy to get up to speed a little bit faster?
00:19:00 Kavin Anburaj
I'm glad that you asked this question because I did wish that I had someone explain to me what the differences would be or what I could have done a little better upfront, but hopefully this helps.
00:19:13 Kavin Anburaj
some people.
00:19:13 Kavin Anburaj
One is the amount of cross-collaboration that is required for a privacy audit.
00:19:22 Kavin Anburaj
In the traditional audit space, when I have done an audit in a particular sector, either I'm working with engineering teams or I'm working with business teams.
00:19:31 Kavin Anburaj
And I'm not saying that it gets limited to just that org that I am currently auditing, but in the privacy space, as you're aware, data never stays within one organization alone.
00:19:43 Kavin Anburaj
And couple that with evolving regulations, there is constant flux in what you're supposed to do, and there's constant flux in how data is ultimately managed within as well.
00:19:56 Kavin Anburaj
And so combining these two is where the complexity gets a little harder to manage.
00:20:02 Kavin Anburaj
So biggest lesson learned is understanding who your cross-functional partners are and starting to set up expectations with them.
00:20:09 Kavin Anburaj
And for us,
00:20:11 Kavin Anburaj
or for any privacy audit for the matter, you start off with legal or with the organization that is responsible for translating what regulatory requirements are required for your organization and converting them into policy.
00:20:24 Kavin Anburaj
So you work a lot with legal policy teams to make sure that the law has been interpreted and that we have policies that we can audit against.
00:20:34 Kavin Anburaj
So
00:20:35 Kavin Anburaj
that would be a lesson learned.
00:20:37 Kavin Anburaj
And you don't just start off with the organization that you are just automatically auditing.
00:20:41 Kavin Anburaj
So I would suggest starting off there.
00:20:45 Kavin Anburaj
The second piece is, like I said, hopefully internal audit is not the first team that's looking at things from a privacy perspective.
00:20:52 Kavin Anburaj
So talk to your second lines to see what work has already been done.
00:20:56 Kavin Anburaj
Has there been risk assessments that have been performed in this particular space?
00:21:00 Kavin Anburaj
And getting that information will help ground you before you start doing an audit.
00:21:06 Kavin Anburaj
So that is another big lesson that I've learned because sometimes, obviously, when we are reporting these things out to the board or to senior management, it is important for us to be able to speak the same language.
00:21:17 Kavin Anburaj
And the question naturally is going to arise, like a third line and the second line working together.
00:21:23 Kavin Anburaj
And do they have similar principles that we are auditing against?
00:21:26 Kavin Anburaj
So align with legal, align with second line in these spaces.
00:21:30 Kavin Anburaj
The third thing that I have understood is, which I'm pretty sure any internal auditor would empathize with, is it's not like you walk into an audit and then someone gives you a data map and says, this is where all the data is.
00:21:43 Kavin Anburaj
This is where the data storage is.
00:21:44 Kavin Anburaj
These are the controls that we have.
00:21:46 Kavin Anburaj
So it's hard enough to do it in one space.
00:21:49 Kavin Anburaj
It gets harder when there are multiple business units that are involved.
00:21:53 Kavin Anburaj
So talking to someone
00:21:56 Kavin Anburaj
who has that knowledge upfront and getting or trying to piece this together initially would really be beneficial before you start identifying controls.
00:22:07 Kavin Anburaj
So those are like 3 big buckets that I would say would be helpful.
00:22:12 Charles King
Yeah, and I think this is probably fairly obvious for people that are in regulated industries or have parts of their business that are subject to some kind of third-party scrutiny.
00:22:25 Charles King
but you have to be very careful with the language you use in these reports as well.
00:22:31 Charles King
I think sometimes when we do the traditional plain vanilla business process audits, I don't think we ever want to be sloppy with our language, but sometimes if it's a little bit imprecise or we don't choose our words very carefully, if it's a procurement audit or something like that, it's not that big a deal.
00:22:50 Charles King
But in the privacy
00:22:52 Charles King
realm and in other regulatory realms, being inartful in the way you write your findings or observations, that can have some downstream implications because it's possible that other people will see your internal audit report and potentially misconstrue it, right?
00:23:10 Charles King
So whether that's a regulator or it's part of a lawsuit or, you know, anyone, any third party that may be interested in how you're complying with privacy laws or privacy obligations,
00:23:22 Charles King
your internal audit reports are absolutely going to be part of that.
00:23:26 Kavin Anburaj
Yeah, I think you're absolutely right.
00:23:29 Kavin Anburaj
When I was also mentioning working with legal or with functions which are interpreting law in some ways, it's also important when the results are out to work with them closely to make sure that us, like an internal audit team,
00:23:45 Kavin Anburaj
stating something in the context of 1 jurisdiction does not have a completely different interpretation or a different meaning in a different jurisdiction, which could naturally happen if you are working anywhere in the global space and your business is conducted outside of just one country.
00:24:02 Kavin Anburaj
And that's where they are expertise in making sure that
00:24:08 Kavin Anburaj
either adding clauses to say this is in this particular jurisdiction only getting the words right is of utmost important when doing a privacy-related audit.
00:24:18 Charles King
Yeah.
00:24:19 Charles King
Well, if auditors want to learn more about privacy, what resources would you recommend they go to
00:24:29 Charles King
to prepare for a privacy audit or to think about including privacy implications into their risk assessment or into their audit plan in some way.
00:24:41 Kavin Anburaj
Yes.
00:24:42 Kavin Anburaj
For me, to be honest, I think IAPP actually was a very helpful resource location where I went to understand a lot of these in more detail.
00:24:54 Kavin Anburaj
It, again, I would say it really depends on the country that you are in as well or where your organization is doing business.
00:25:00 Kavin Anburaj
And it's important for you to understand what your sector is and look for.
00:25:05 Kavin Anburaj
And for example, like within the healthcare space, what are some of the regulatory requirements?
00:25:10 Kavin Anburaj
And
00:25:10 Kavin Anburaj
what regulatory requirements will apply to your particular organization is something that you need to be aware of and do research more into that sector itself in addition to general basic privacy principles and laws and regulations can be looked up.
00:25:26 Kavin Anburaj
And IAPP would be a really good source for it.
00:25:29 Charles King
Yeah, IAPP is a great place.
00:25:31 Charles King
That's where I started my journey.
00:25:33 Charles King
I'm really happy to
00:25:35 Charles King
I really enjoyed getting my privacy certification.
00:25:39 Charles King
And I think if you're an organization that has serious privacy concerns, I think it's worth, if not getting the certification yourself, just making sure that you have access to some people that have some proper privacy training after they get their CIA, of course, but then after that.
00:25:56 Charles King
That's exactly.
00:25:59 Kavin Anburaj
Actually, that is.
00:26:00 Kavin Anburaj
Really true, Charles, which I truly believe in, is if your internal audit basics are good and you have your CIA or IAA to support that, in addition to you understanding your business quite well, you understanding how data management works in general,
00:26:22 Kavin Anburaj
I think a combination of that, in addition to anything else in the privacy space that you do, I feel like will make you a very well-rounded privacy auditor.
00:26:32 Charles King
Excellent.
00:26:33 Charles King
Well, Kavin, this has been a great discussion.
00:26:35 Charles King
I really appreciate you coming on this week and sharing what you've learned about privacy with everyone.
00:26:40 Charles King
I know it's an exciting area.
00:26:42 Charles King
I think it's only going to be more and more relevant to every organization as we see more regulation, as we see technologies like AI,
00:26:52 Charles King
come to the fore.
00:26:54 Charles King
It's an important area, and I think it's an overlooked area by many auditors.
00:26:58 Charles King
So I'm really glad we were able to have this discussion today.
00:27:01 Charles King
Thanks for coming on the show.
00:27:02 Kavin Anburaj
Thank you so much, Charles, for this opportunity.
00:27:05 Kavin Anburaj
And yeah, the last bit that you just mentioned, I wanted to reiterate, with AI becoming such an important topic across all organizations, the data traceability, lineage, and privacy implications are going to be so much more higher for every organization out there.
00:27:21 Kavin Anburaj
So
00:27:22 Kavin Anburaj
Privacy audits are not going to be done.
00:27:24 Kavin Anburaj
And in a silo, I feel like anything that we are going to be doing in the AI space is going to have privacy components.
00:27:29 Kavin Anburaj
So it is time that every organization adapts and embraces the privacy audit lifestyle too.
00:27:36 Charles King
Well said.
00:27:37 Kavin Anburaj
Thank you so much again.
00:27:40 The IIA
Banking on big changes will spark your next audit breakthrough at the 2025 Financial Services Exchange.
00:27:47 The IIA
November 3rd to the 4th in Washington, D.C., or virtually.
00:27:53 The IIA
Gain fresh insights, network with peers, and earn up to 13 CPEs.
00:27:59 The IIA
Head to theiia.org to reserve your spot now.
00:28:04 The IIA
If you like this podcast, please subscribe and rate us.
00:28:08 The IIA
You can subscribe wherever you get your podcasts.
00:28:11 The IIA
You can also catch other episodes on YouTube or at theiia.org.
00:28:17 The IIA
That's THEIIA dot ORG.
