The concept of “accountability” has emerged as a dominant theme in global privacy and data protection law, policy, and organizational practices and is considered fundamental to privacy management. While the word has been challenging to define in practice, the idea embodies what regulators expect of responsible organizations and more and more, privacy laws are incorporating the concept as a matter of legal compliance. The General Data Protection Regulation (GDPR) integrates accountability as a principle in Article 5(2) which requires organisations to demonstrate compliance with the principles of the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to ensure that organisations can demonstrate that the processing of personal data is performed in accordance with the GDPR.
Our clients have asked us countless times, “How do I prioritise my efforts to meet GDPR accountability obligations?”. And the fact is that there is no one, simple answer. Each organisation is responsible for crafting a privacy management program specific to their company’s unique needs.
In an effort to fully support our clients in developing their privacy programs, Nymity has authored an upcoming paper, “A Practical Guide to Demonstrating Compliance”. In the guide, you’ll find a wealth of detailed information to walk you through the process. You do not need to be a privacy expert in order to implement effective privacy management in your organization- this guide ensures that individuals from any background can more easily understand the process, focus on their organization’s priority areas, and be able to communicate and report effectively on the status of ongoing GDPR compliance.
The guide is supported by four appendices, containing in-depth information on the key concepts integral to privacy management. Today, in the first of a three-part series on the Guide, we’ll be examining these key concepts. In Part Two of the guide, we will dive in deeper to examine the prioritisation of accountability obligations in two straight-forward steps. Lastly, in Part Three, we will take a look at the most common approaches to planning, in order to assist your organisation in choosing the best strategy for your unique needs.
Do you need to be an official “Privacy Officer” to be considered a “Privacy Office” team member? No. The Privacy Office is all the individuals responsible for privacy management, and this team can span many departments across an organisation: Legal, compliance, risk, etc. The Privacy Officer is generally the individual within the organization responsible for privacy management. Other names include Privacy Counsel, Chief Privacy Officer, or Data Protection Officer. This individual may not even have privacy in their title, such as a CISO.
Resources are what is available to the Privacy Office to implement and maintain the technical and organisational measures. Nymity has identified four categories of resources: People, processes, technology, and tools.
Privacy is contextual and therefore there are no standard checklists to which an organization can point to demonstrate accountability. In order to articulate how the organisation’s data processing activities are carried out in compliance with regulations, one must have an understanding of the activities themselves, the motivations behind them, and how the rules apply. In the Guide, when the term context is used, it refers to:
Rules- Privacy laws, regulations, internal policies, privacy notices, and codes of conduct.
Data Processing Practices- How personal data is processed, including business operations, back office functions, human resources, marketing, and finance.
Privacy Management- How technical and organizational measures and other privacy management activities have been implemented and maintained.
Privacy Risk- What risk of harm currently exists, both to data subjects, and to the organization? Having an understanding of this allows the Privacy Office to prioritise the mitigation of one risk over another.
For some technical and organisational measures, it is obvious how the evidence can be used to demonstrate compliance. For example, where a rule requires that a privacy notice contains certain elements, it is easy to determine if those elements are present in a privacy notice. In other cases, evidence is not as straight-forward. For example, rules often require that data is not processed for purposes beyond that for which it was collected. In this case, evidence could include policies and guidance pertaining to how to ensure that processing stays within these boundaries. But to fully demonstrate compliance, organisations will need to go a step further, and conduct PIAs or DPIAs. These assessments will determine if the use is in accordance with the original purpose, and if this is taking place consistently.
Fundamentals of Structured Privacy Management
Since 2002, Nymity has been conducting in-depth research worldwide to examine what it means to effectively “demonstrate” accountability through effective privacy management. We have determined that privacy management has three key elements:
In a structured approach to privacy management, responsibility means appropriate technical and organisational measures have been implemented, and are maintained on an ongoing basis. These measures are determined based on the organisations’ unique compliance requirements, risk profile, business objectives, and the context of data processing.
Nymity’s Privacy Management Accountability Framework™ has been developed to assist in ensuring the “responsibility” element. It is a menu of activities that can be adapted to any organization; a comprehensive, jurisdiction and industry-neutral listing of over 130 privacy management activities within 13 privacy management categories. It has also been mapped to the GDPR, to assist in compliance with the regulation.
Ownership builds on the element of responsibility by ensuring that each technical and organisational measure is assigned to an individual. Ownership of privacy management activities can reside within the operational and business units where data is being collected, and can include human resources, marketing, product development, IT, and customer service.
The owner of a privacy management activity is responsible for providing supporting evidence that the activity is being maintained. When an activity is performed on an ongoing basis, evidence is produced as a by-product. This may be formal (for example, policies, procedures, reports), or informal (communication, agendas, system logs). It is important to note here that ongoing privacy management activities can be categorized as either Periodic (for example, taking place quarterly or monthly), or Continuous (embedded into day-to-day activities).
The Two Key Steps to Prioritisation
In Part Two of this series, we will explore the main purpose of the Guide to Demonstrating Compliance: The two key steps to prioritisation. Having gained an understanding of the key terms in Part One of this series, you’ll learn how to Baseline and Plan in order to craft an effective privacy management program. Later, in Part Three, you’ll discover the most common approaches to planning, and gain the knowledge to assist you in choosing the correct strategy for your organisation.