Audits, by nature, are rear-view facing. In many cases, that may be fine (i.e., income tax audit and process audits), but in the world of cybersecurity and data security, reliance on an external audit poses a significant business risk.
Data security and data governance, risk and compliance (GRC) goals have never aligned until GDPR. Data GRC focuses on demonstrating (reporting) the controls over who, what and when in-scope data was accessed and not primarily about securing it. Organizations need to demonstrate compliance and focus on passing an audit -- not preventing data breaches. Before GDPR, monetary fines for breaches were minor; it was more important to find ways to pass the audit so they could continue operating the business than reduce the risk of a data breach.
GDPR has shifted this paradigm by imposing substantial monetary fines in the case of a breach. As a result, organizations now focus on minimizing data loss risks rather than passing an audit. After all, there is no GDPR compliance audit like with International Organization for Standardization (ISO). The only mention of an audit within the GDPR regulation is for data processing. Compliance is self-imposed by the threat of a stiff fine that compels organizations to start thinking about compliance and security with a unified goal: to protect data.
Previous compliance standards and regulations such as ISO, Payment Card Industry (PCI), Sarbanes-Oxley (SOX), and Service Organization Control (SOC 2), to list a few, have focused on the audit.
For these regulations, organizations put in place the minimum processes and controls necessary to pass the audit. The controls may have little to no impact on data protection and privacy. The organization is solely attempting to gain compliance via a passing audit. The certificate acts as a get-out-of-jail card. If anything goes wrong, the organization says, "But we passed our audit. It's not our fault."