Part 3: How to Demonstrate Compliance Through an Accountability Approach to Privacy Management
In today’s final installment of our three-part series on Accountability, we will be examining how taking an accountability approach to privacy management assists in demonstrating compliance. As we’ve discussed in the previous two blog posts, the concept of accountability has evolved in recent years to imply more than simply complying with the requirements of a law, regulation, policy, or other commitment such as privacy notice, framework, or code of conduct. Today’s definition of accountability emphasizes the need for ongoing privacy management activities to be carried out on a continual basis.
The accountability approach to demonstrating compliance is a proactive method that shows how requirements are being met in order to enable an ongoing capacity to comply.
Drivers for Demonstrating Compliance
Before we begin exploring the accountability approach, let’s take a look at some of the main drivers for demonstrating compliance:
1) EU General Data Protection Regulation
The need to be accountable and to demonstrate compliance is now codified in in Article 24 of the GDPR which closely links to Article 5 on the data protection principles.
2) Cross Border Data Transfer Mechanisms
As transfers of personal data across borders increases in complexity, some organizations may opt to enrol in voluntary schemes such as Binding Corporate Rules (BCR), APEC Cross Border Privacy Rules (CBPR), and the EU-US Privacy Shield. In these cases, the organization must be able to show it is adhering to the unique commitments pertaining to the scheme.
3) Meeting Regulator Expectations
Regulators around the world have published guidance and made it clear that they expect organizations to be prepared to demonstrate compliance. Having good procedures and policies in place, and having the ability to explain what principles those policies are based on, will drastically reduce the risk that an organization is targeted by a DPA. In the event that an investigation is launched, and an error is found, having these procedures in place will reduce the risk of sanction.
4) Enforcement Actions
Regulatory investigation that results in consent orders or settlement may require that an organization demonstrate compliance with the terms of the order through regular third-party or regulatory audits.
5) Self-Regulatory Codes and Self-Regulation Systems
Self-Regulatory Organizations (SRO’s) are responsible for enforcing industry’s commitments to the voluntary rules and standards of practice within such systems as the European Advertising Standards Alliance (EASA), and the Children’s Advertising Review Unit (CARU). Should an individual file a complaint against an organization, the organization will need to demonstrate compliance or be subject to sanction mechanisms.
Why Take the Accountability Approach to Demonstrating Compliance?
Accountability requires a thorough understanding of how your organization processes personal data, on what grounds, and under which conditions. Demonstrating compliance means that you should also be able to show evidence of this understanding. It is more than a one-off inventory, and there is no “finished product”. It is an ongoing process that focuses not just on the “What?”, but also the “Why?”.
Most organizations understand the risk and impact of a breach, and therefore strive to be prepared and accountable. By putting in place measures such as privacy incident and breach response plans, training employees how to identify a breach and testing plans, organizations can be “accountable” even in the absence of a breach having occurred. The organization will then be better prepared to minimize impact to data subjects, and the organization. This also demonstrates an ongoing capacity to comply.
Continuity is Key, Context is Critical
Effective privacy management relies on the interpretation of requirements, assessment of risk, and contextual understanding of the organization’s unique needs and processes. Demonstrating compliance is best achieved through the completion of ongoing privacy management activities, and the development of these activities is best achieved through an accountability approach.
Nymity offers a number of automated solutions that can assist organizations in developing their own accountability approach to privacy management, demonstrating compliance as a natural result. To learn more,