To comply with obligations under the GDPR (and the 700+ other global privacy laws), it is best to take an accountability approach. This requires putting in place a program made up of appropriate technical and organisational measures, and maintaining an ability to demonstrate a capacity to comply. Depending on the specificities of your organisation, appropriate technical and organisational measures can be anything from policies and procedures to guidelines, checklists, technology training, technical safeguards, and more. The Nymity Privacy Management Accountability Framework™ provides a jurisdiction- and industry-agnostic menu of technical and organisational measures to help you operationalise global privacy laws and – most importantly – demonstrate compliance with these laws.
An Accountability Approach to Compliance
Accountability requires that organisations demonstrate compliance to:
– The Supervisory Authority
– Business partners (in certain instances)
Regulators have made it clear that the process of accountability is not a one-off exercise. It must be ongoing, so that you can maintain a capacity to comply and demonstrate compliance at any moment in time. Prior to GDPR, it was common for organisations to run ad hoc privacy programs in order to comply with certain laws. The scope of the GDPR is so large that ad hoc programs no longer work. In fact, when we mapped the GDPR to the Nymity Framework™, we found that a full 39 out of 99 GDPR Articles require evidence of ongoing technical and organisational measures in order to demonstrate compliance and those 39 Articles map to 55 technical and organisational measures on the Nymity Framework. The good news is that you can leverage your work for the GDPR to comply with new laws such as the CCPA – and the Nymity Framework™ can help. It allows you to easily identify the GDPR activities that are already part of your privacy program which can also be leveraged for CCPA compliance and a multitude of other laws.
Real World Case Studies: Turning Privacy Projects into Embedded, Operationalised Privacy Programs
Integrating the ‘GDPR Project’ Into their Existing Privacy Program
To prepare for the GDPR, one of the first things GM did was to analyse their current program to identify gaps, as well as existing measures that they could leverage. With a mature program already in place, they went through each component of the Nymity Framework™ to determine which areas needed new measures, which needed to be strengthened and which needed to be enhanced, in order to be GDPR compliant. GM has 51 privacy offices, and since the Framework is repeatable and scalable, they use it in all markets, including newer markets such as the Philippines, which needed a complete privacy program rollout.
Kimberly Bubnes, Director of Global Data Privacy at GM, comments, “Every time we have a new law across the globe, the Nymity Framework™ helps us integrate compliance with that law into our program, as well as ensuring compliance with existing laws.” Bubnes goes on to say, “Having the Framework to work against has been invaluable to our planning, because we’ve been able to tell leadership exactly what’s required, what work effort will be involved, what the key deliverables will be, and address change proactively. And even though we have a mature program, we’ve been able to improve upon it and mature it further by leveraging the Framework.”
Otter Products & Blue Ocean Enterprises:
From Several Ad Hoc Privacy Programs to one Global Privacy Program
With both startups and large global companies under their umbrella, the organisation realised they needed to move away from reactive ad hoc programs to a global program, in order to comply with various and multiple laws. They used Nymity’s jurisdiction-agnostic Framework to implement technical and organisational measures to comply with the GDPR. So, when the CCPA was passed, “it was just another day in the office,” commented Alexys Carlton, Director of Information Assurance & Privacy. The organisation was already set up with appropriate GDPR measures that they could leverage for CCPA compliance.
The Nymity Framework™ also includes a governance structure which they use for ongoing accountability, program evaluations, and reviewing the maturity of their privacy program. Carlton continued, “The Framework helped me transition from an ad hoc privacy program to an agile global privacy program that allows me to demonstrate accountability across multiple laws.”
Coca-Cola European Partners:
Integrate GDPR Project Components into a Sustainable, Operational Privacy Program
The European arm of Coca-Cola realised that the GDPR would require new controls, as well as changes to existing controls, for data privacy. From DPIAs to data subject access rights to records of processing activities, and more, they found that different aspects of their privacy program would be affected by new requirements under the GDPR. So, they did a gap assessment and went into project mode to ensure everything was in place for the GDPR deadline. At the time, they took a one-time project approach to the GDPR, with resources dedicated for the length of the project, and metrics all set on meeting that one deadline. Moving forward, they are focusing on ongoing GDPR compliance and now view the May 25th deadline as just the start of their journey.
Michael Scuvee, Chief Data Protection Officer, Legal Compliance at Coca-Cola European Partners commented, “We have moved from a one-time approach to ongoing processes where we are aligning our project components with the Nymity Framework™. The purpose is to embed sustainable business processes and a sustainable governance model in our organisation.” Scuvee continues, “The name of the game is really about demonstrating accountability on demand, so integrating GDPR controls using the Nymity Framework™ has helped us articulate our program, organise our library of evidence, integrate operational processes, perform continuous benchmarking, and demonstrate accountability.”
From Ad Hoc Privacy Projects to Global Privacy Programs
For organisations that are still approaching the GDPR as an ad hoc project, it is important to begin looking at compliance as an ongoing activity and one whose measures can be leveraged to comply with other laws, including the upcoming CCPA. To learn more, view our pre-recorded webinar, produced in conjunction with the IAPP. In the webinar, you will be able to hear, first-hand, how General Motors, Coca-Cola Europe and Otter Products & Blue Ocean Enterprises have approached ongoing compliance.
If you want to know more about how Nymity can support your privacy and data protection program, please do not hesitate to reach out to us. We look forward to hearing from you at firstname.lastname@example.org.