Accountability was first established as a privacy principle in 1980, when the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Data Flow made organisations responsible for upholding the principles of the guidelines. When the guidelines were updated in 2013, further emphasis was given to the concept of accountability.
The Article 29 Working Party describes accountability as, “showing how responsibility is exercised and making this verifiable”. Nymity defines the fundamental elements of accountability within the context of privacy as:
- Responsibility: The organisation maintains an effective privacy program consisting of ongoing privacy management activities.
- Ownership: An individual is answerable for the management and monitoring of the privacy management activities.
- Evidence: The privacy office has documentation to support the completion of privacy management activities.
As we approach the May 2018 GDPR enforcement date, the ability to demonstrate your organisation’s accountability and capacity to comply with the new regulations will become more important than ever before. As such, tools that assist organisations in establishing procedures, developing documentation, and building a privacy management infrastructure can be the key to supporting ongoing compliance.
GDPR Compliance: Keeping Score
The Nymity Data Privacy Accountability Scorecard™ is a completely FREE, scalable, evidence-based framework that allows organisations to:
- Monitor and measure privacy management activities
- Assign appropriate ownership
- Produce supporting evidence
The scorecard is one of many FREE tools developed by Nymity to assist organisations in demonstrating accountability for data privacy using the three fundamental elements. To learn more about Nymity’s FREE resources for GDPR compliance, visit Demonstrating Compliance: A structured approach to Privacy Management
How to Implement the Scorecard
Perhaps best of all, the Scorecard is a free resource that is easy to use. In addition to the Scorecard download, users also gain access to an instruction book, training videos, and example Scorecards.
Let’s take a look at the three main steps to implementing the Scorecard:
1) Identify Activities, Ownership, and Frequency
The first step is for your organisation to identify all the privacy management activities that are currently being completed, and those that are desired to be completed in the future. Each activity will need to be assigned a responsible individual and a frequency.
Should your organisation require assistance in identifying which activities need to be completed, Nymity has created the Privacy Management Accountability Framework™. The Framework is a comprehensive listing of over 130 privacy management activities structured into 13 categories. The Framework has also been mapped to the GDPR, identifying which activities will specifically address compliance with the regulation.
2) Create Evidence Collection Questions
Next, the privacy office will need to develop simple, concise questions to compel evidence from activity owners. Evidence collection questions must be answered by “yes” or “no” to enable quantifiable analysis.
3) Collect Responses and Evidence
Lastly, the privacy office consolidates the responses and evidence, along with comments for context. This information is then filled into the Evidence Worksheet.
How to Calculate Your Score
To calculate your organisation’s score, divide the number of “yes” answers by the total number of activities identified. This will result in a percentage of completed activities- your Data Privacy Accountability Score.
To track progress over time, your score can be plotted on a timeline. In fact, the Scorecard template generated by Nymity automatically generates a graph when the evidence worksheet is completed.
Nymity divides privacy management activities into two tiers:
- Core activities: Those activities that are fundamental to privacy management. These may be mandatory for compliance, or required by the organisation for other reasons.
- Elective activities: Those activities that are encouraged or desired, but not required.
When all core activities are evidenced, the privacy program is considered 100% managed and has reached the target. The Scorecard doesn’t stop there though; instead it also calculates the percentage “Advanced”, based on the elective activities completed and evidenced.
The Scorecard is a scalable method for documenting accountability, which can be expanded or upgraded to meet the needs of organisations of any structure, sector, or size.
To learn more about the Scorecard, or any of Nymity’s GDPR Compliance solutions, click here: