Part 2: Implementing Accountability through Structured Privacy Management
In Part 1 of this three-part series, we took a look at how the concept of Accountability has evolved over the years from simply achieving strict compliance with the laws, to being able to demonstrate compliance through a proactive approach to privacy management. Today, in Part 2, we’ll explain how to get started with implementing a structured approach to privacy management.
Three Essential Components of a Structured Approach to Privacy Management Accountability
Nymity’s research has suggested that privacy management accountability can be broken down into three essential elements: Responsibility, Ownership, and Evidence.
Privacy management activities are ongoing procedures, policies, measures, mechanisms, and other initiatives that impact the processing of personal data, or that relate to compliance with privacy and data protection laws. These activities are determined based on the organization’s compliance requirements, risk profile, business objectives, and the context of data processing.
Within a structured approach to privacy management, responsibility means that appropriate privacy management activities have been implemented and are maintained on an ongoing basis.
Ownership implies that an individual must be answerable for the management and monitoring of each of the privacy management activities. While the privacy or data privacy officer is accountable for data privacy or compliance, the privacy office itself usually processes very little personal data, if any. As such, it is important to emphasize ownership on each of the privacy management activities being carried out across the entire personal data cycle- from collection through to destruction. Ownership of some of these activities will reside within the operational and business units, and within those branches, proper ownership of activities must be established.
Once ownership has been established, owners will need to provide supporting evidence that the privacy management activities are being maintained. Evidence is documentation that may be formal (e.g., policies, procedures, reports) or informal (e.g., communication, meeting agendas, and system logs) and can be used with context by the privacy officer to show that a privacy management activity is being performed.
Privacy Management: An Ongoing Process
Responsible organizations do not view privacy management as a one-time “project”; instead they allocate resources to privacy management accountability and continually assess efficacy and needs to ensure that the activities are aligned. It’s an ongoing process that does not result in a “finished project”. Changes inside and outside the organization, including technology, business models, and best practices, will all require privacy management activities to be updated accordingly.
In this respect, privacy management activities can be characterized as either Periodic or Continuous.
- Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end.
- Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, wherein adjustments are made continuously toward the desired outcome.
Whether the activity should be performed periodically or continuously depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.
How to demonstrate accountability and compliance
In the final installment of our 3-part blog series, we will examine how the structured approach to privacy management can help to demonstrate accountability and compliance.
Are you looking to get started with planning your GDPR compliance or need some additional tools to help?