The discussion on accountability is heating up around the globe. On the edges of the recent IAPP Asia Forum in Singapore, the Center for Information Policy Leadership (CIPL) held a Workshop in collaboration with the Singapore Personal Data Protection Commission (PDPC) on “Implementing Accountability.” Nymity was pleased to participate in the workshop.
As a long time member and supporter of CIPL’s work, Nymity is the global leader in transforming CIPL thought leadership into practical tools for organisations to operationalise accountability: from practical Templates for quickly building and scaling a privacy program to privacy management planning solutions to tools for communicating and demonstrating compliance.
The concept of accountability in privacy management is not new. Back in 2009, the Galway Accountability Project was initiated by Ireland’s Office of the Data Protection Commissioner and co-sponsored by the Organisation for Economic Co-operation and Development (OECD). CIPL acted as the project’s secretariat and served as principal drafter of several papers which considered the concept of accountability as it applied in the existing data environment. Nymity was a regular participant in those discussions and, at that time, began building its practical software tools to operationalise accountability.
Today, the conversation on accountability is more relevant than ever, and regulators around the world are engaging on the topic. The concept of accountability now has broad international support and has been adopted in the EU General Data Protection Regulation (GDPR) as a compliance obligation (Article 5(2). To that end, CIPL has initialed a new series of global workshops on accountability to facilitate consensus and clarity on the specific meaning and application of organisational accountability among all relevant stakeholders, including organisations that are trying to put accountability into practice and Data Protection Authorities (DPAs) overseeing accountability. Nymity will continue to participate, bringing the on-the-ground experience of our clients to the discussion and, again, turning policy thought leadership into practical solutions.
The Singapore workshop focused one of its key sessions on examples and practical demonstrations of how controllers and intermediaries/processors of all sizes are delivering accountability, focusing on the role of the Data Protection Officer (DPO), documenting data processing and demonstrating accountability. Specific questions that were addressed by several organisations included:
Why is it in an organisation’s self-interest to build a systematic data protection management programme?
- What are the benefits of accountability for large organisations and SMEs and for controllers and intermediaries/processors?
- How to start a data protection management and compliance programme, including understanding the data, gaining senior management support, and implementing governance?
- What is the role of the DPO in organisational accountability?
- What are documentation best practices in relation to data processing?
- How can organisations, including SMEs, demonstrate accountability internally and externally (internal personal data protection programmes, data protection certifications, codes of conduct and BCR, APEC CBPR, and PRP)?
During the session, participants also heard from several Asian Data Protection Authorities that are very active in promoting the concept of data privacy accountability. For example, Raymund Liboro, Commissioner and Chairman at National Privacy Commission (NPC - Philippines) outlined the Commission’s 90-day plan for data protection officers to help their agencies and organisations comply with the Data Privacy Act.
The idea is “90 days toward accountability and compliance," said Commissioner Liboro. The plan can be followed not only by government agencies but also by the private sector. The goal here is that there will be a smaller chance of experiencing data breaches, a smaller chance of data privacy rights being violated, and a smaller chance of getting complaints from the public.
Deputy Commissioner Zee Kin Yeong of the PDPC talked about the Commission’s proposed artificial intelligence Governance Framework in connection with the recent release of the PDP’s Discussion Paper: Artificial Intelligence (AI) and Personal Data – Fostering Responsible Development and Adoption Of AI.
Finally, Privacy Commissioner Stephen Wong Kai-yi of Hong Kong spoke about the Commission’s Privacy Management Programme, which was released in 2015. He reiterated that privacy and data protection cannot be managed effectively if they are merely treated as legal compliance issues. Rather, organisations should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, covering business practices, operational processes, product and service design, physical architectures, and networked infrastructure. To achieve this, the Commission promotes a comprehensive Privacy Management Programme (PMP) as part of a robust privacy infrastructure.
For the past 15 years, Nymity has been providing research-based privacy management software solutions to empower privacy offices to build and maintain accountability-based privacy management programmes. After years of research and workshops, we also developed the Nymity Privacy Management Accountability Framework™, a menu of 130 privacy management activities structured into 13 categories and mapped to the relevant global laws. Organisations around the world use our Framework and privacy solutions to build and maintain privacy management programs that demonstrate accountability and compliance. Request a demonstration of our solutions today.