For multi-jurisdictional organisations, complying with the GDPR and other applicable laws, such as the upcoming CCPA, may seem daunting, but there is no time to waste. In fact, organisations that are subject to the CCPA need to be ready on the 1st of January 2019. This is so they are in compliance with the 12-month look back for consumer requests for data processing disclosure. Ready or not, the enforceable deadline for CCPA compliance is just a few weeks away.
But there is a workable solution. For organisations that have put accountability mechanisms in place to become GDPR compliant, they can also leverage those mechanisms to comply with the CCPA and other privacy laws. The key is transitioning from a point in time GDPR project to a scalable, regulatory-agnostic, and efficient privacy program.
CASE STUDY: HID Global’s Transition from GDPR Project to Multi-Jurisdictional Privacy Program
In a recent Lexology webinar, I discussed how I took our GDPR project at HID Global – aimed at being compliant on the May 25th deadline – and built it into a complete, accountability-based privacy program that can comply with multiple laws.
In the months leading up to the GDPR, HID Global’s business was evolving, and they needed to evolve their privacy program along with it to comply with the upcoming regulation. I was brought in to help mature their existing privacy program and prepare them for GDPR compliance.
HID Global’s GDPR effort included conducting a privacy program gap assessment, developing a global data processing inventory, performing Data Protection Impact Assessments (DPIAs) and executing remediation efforts around improving policies, procedures, and guidelines to address GDPR and EU originating personal data. The result of these efforts was a privacy program to address the GDPR for the May 25th deadline, but the program was heavily privacy-office focused and not yet global in scale.
At the time, the privacy office leveraged a traditional, questionnaire-based DPIA to complete risk assessments for processing activities involving personal data originating from the EU. This required training non-privacy personnel within the business on how to answer questions for the questionnaire-based PIA. The privacy office then reviewed each DPIA and made recommendations to the business.
Since the existing privacy office was small, the goal was to find a way to shift accountability to the business, so the organisation could cover more risk and incorporate Privacy by Design (PbD) throughout. To that end, HID Global created a program consisting of accountability mechanisms, a new type of Privacy Impact Assessment (Accountability PIAs), training and awareness initiatives to empower the business, and ongoing compliance and monitoring of the program. The organisation had created a foundation of global policies and procedures that addressed regulatory requirements, but now the goal was to develop procedures, work instructions, and guidelines that could be leveraged more globally and in a more scalable, regulatory-agnostic, and efficient way for the organisation. The organisation is taking the following steps to accomplish this:
Step 1: Assessment of Existing Accountability Mechanisms
The first step is performing an accountability mechanism gap assessment. HID had a great start using existing DPIAs which showed an inventory of privacy risk by function within the organisation. Using the existing DPIAs (which identified the privacy risk that was mitigated) along with the Nymity Privacy Management Accountability Framework™, the privacy office is approaching business units and functions to conduct gap assessments against the existing processing activities and privacy risks. The goal is to create policies, procedures, and guidelines that address both organisational privacy risk and regulatory requirements. The privacy office interprets the applicable privacy regulation for the business to ensure that the organisational accountability mechanisms address the requirements.
Step 2: Training and Awareness
After gap assessment and creating additional accountability mechanisms, the next step is conducting additional training and awareness campaigns to encourage the business to use the policies, procedures, and guidelines. The training consists of a mix of computer-based training, PowerPoint presentations, and periodic meetings with an extended privacy network within the business functions. The goal is to empower the business to appropriately handle typical data privacy issues they encounter and better incorporate privacy by design into their everyday job, regardless of the applicable regulations. This step provides the business with the instructions they need to follow in order to process personal data in the context of their job, and it helps shift accountability for mitigating privacy risk from solely on the privacy office to a shared responsibility within the organisation.
Step 3: Accountability PIA
The next step is shifting to an Accountability PIA methodology from a traditional, questionnaire-based PIA, where the business answers privacy related questions (which are at times, complex questions) and the privacy office reviews, looks for risk, makes recommendations, and remediation plans. Rather than asking the business to answer questions and then making recommendations on steps to mitigate identified risk (which could be covered in an existing policy, procedure, or guideline) the Accountability
PIA points to a relevant Accountability Mechanism (AM) and asks the business to attest to whether or not they have used the AM for the processing activity they are recording in the PIA. When the PIAs are done, reports are generated which illustrate the risks that have been identified and the associated existing Privacy by Design (PbD) methods that demonstrate that the risk has been mitigated and how it has been mitigated. This reinforces to the business that there are existing guidelines that should be followed, rather than policies and procedures sitting in a repository that personnel are aware of but do not reference on a regular basis. By changing the dynamic of the traditional questionnaire-based PIA where the privacy office assesses risk and makes recommendations, Accountability PIAs reinforce the concept of PbD by encouraging the business to use existing guidance to incorporate privacy requirements from the beginning.
Step 4: Ongoing Compliance Monitoring
An important final step is to periodically review the effectiveness of the Accountability Mechanisms. Using the Framework, most of the common requirements across existing obligations are covered. But occasionally outliers come up that need to be accounted for, and there may be risks identified during the PIA process that are not covered by existing AMs. Periodically the privacy office reviews existing policies, procedures, and guidelines to determine if both the business risks associated with personal information processing and the regulatory requirements the organisation is subject to are adequately addressed. The outcome of this is adjusting the AMs, perhaps adjusting training and awareness, and discussing better ways to mitigate privacy risk during the periodic extended privacy network meetings in order to meet the needs of evolving privacy risk and regulatory requirements.
HID Global found that an accountability-based program, incorporating privacy by design, and built on Nymity’s Framework, can enable an organisation to leverage existing privacy management activities to comply with multiple laws. Using the Framework, organisations around the World build and maintain privacy programs that demonstrate accountability and compliance. As organisations transition to the ongoing compliance phase of the GDPR, for those also subject to the CCPA, it is time to leverage your GDPR activities to be ready to comply with the California law. Find out how Nymity can help.