<img alt="" src="https://secure.mari4norm.com/163157.png?trk_user=163157&amp;trk_tit=jsdisabled&amp;trk_ref=jsdisabled&amp;trk_loc=jsdisabled" height="0px" width="0px" style="display:none;">

BLOG

The latest privacy compliance news, issues, resources and
expert advice to save you time and mitigate risk.

Written by Nymity
on September 07, 2017

Part 2: Implementing Accountability through Structured Privacy Management

In Part 1 of this three-part series, we took a look at how the concept of Accountability has evolved over the years from simply achieving strict compliance with the laws, to being able to demonstrate compliance through a proactive approach to privacy management. Today, in Part 2, we’ll explain how to get started with implementing a structured approach to privacy management.

 

Three Essential Components of a Structured Approach to Privacy Management Accountability
Nymity’s research has suggested that privacy management accountability can be broken down into three essential elements: Responsibility, Ownership, and Evidence.

Responsibility
Privacy management activities are ongoing procedures, policies, measures, mechanisms, and other initiatives that impact the processing of personal data, or that relate to compliance with privacy and data protection laws. These activities are determined based on the organization’s compliance requirements, risk profile, business objectives, and the context of data processing.

Within a structured approach to privacy management, responsibility means that appropriate privacy management activities have been implemented and are maintained on an ongoing basis.

Ownership
Ownership implies that an individual must be answerable for the management and monitoring of each of the privacy management activities. While the privacy or data privacy officer is accountable for data privacy or compliance, the privacy office itself usually processes very little personal data, if any. As such, it is important to emphasize ownership on each of the privacy management activities being carried out across the entire personal data cycle- from collection through to destruction. Ownership of some of these activities will reside within the operational and business units, and within those branches, proper ownership of activities must be established.

Evidence
Once ownership has been established, owners will need to provide supporting evidence that the privacy management activities are being maintained. Evidence is documentation that may be formal (e.g., policies, procedures, reports) or informal (e.g., communication, meeting agendas, and system logs) and can be used with context by the privacy officer to show that a privacy management activity is being performed.

 

Privacy Management: An Ongoing Process
Responsible organizations do not view privacy management as a one-time “project”; instead they allocate resources to privacy management accountability and continually assess efficacy and needs to ensure that the activities are aligned. It’s an ongoing process that does not result in a “finished project”. Changes inside and outside the organization, including technology, business models, and best practices, will all require privacy management activities to be updated accordingly.

In this respect, privacy management activities can be characterized as either Periodic or Continuous.

  • Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end.
  • Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, wherein adjustments are made continuously toward the desired outcome.

Whether the activity should be performed periodically or continuously depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.

 

How to demonstrate accountability and compliance
In the final installment of our 3-part blog series, we will examine how the structured approach to privacy management can help to demonstrate accountability and compliance.

Are you looking to get started with planning your GDPR compliance or need some additional tools to help? 

download our GDPR Compliance Toolkit

FREE TRIAL

You may also like:

GDPR ccpa LGPD

Managing Data Breaches, Best Practices for an Accountability Approach

The CCPA, EU’s GDPR, Canada’s PIPEDA, Brazil’s General Data Protection Law, Australia’s notifiable data breach scheme ar...

GDPR ccpa

CCPA, Nevada and the Ever-Changing US Landscape

When we did our last update on the status of US privacy legislation just a few weeks ago, there were 15 States with cons...

GDPR ccpa

GDPR to CCPA and beyond: Overcoming Challenges to Timely Privacy Compliance

A version of this post appeared in Corporate Compliance Insights.