Accountability is a key concept under the GDPR. An accountable organisation is one that is equipped to show how requirements are being met. Accountable organisations have the appropriate technical and organisational measures in place and are able to demonstrate an ongoing capacity to comply.
There has been ample discussion in the data privacy sector, and certainly here on this blog, regarding the debate around what it means to “demonstrate compliance” as referenced in Article 24 of the GDPR. It is clear that the GDPR requires more than a simple snapshot of the data being held by an organisation; instead, in order to demonstrate ongoing compliance, organisations must develop a privacy infrastructure, and maintain documentation of the processes that are put in place to support this infrastructure.
In order to support clients in achieving their compliance goals, Nymity developed the GDPR Compliance Toolkit. The kit contains 5 essential resources to assist privacy officers in understanding, assessing, and planning for GDPR readiness, using an Accountability Approach.
Today, we begin a two-part series detailing the benefits of the GDPR Compliance Toolkit by looking at two key components: The Getting Started Manual for GDPR Compliance, and the GDPR Accountability Handbook.
Getting Started Manual for GDPR Compliance
Beginning the process of addressing GDPR compliance can seem overwhelming. In the Getting Started Manual, we help readers take the first steps by breaking down the compliance process into two tasks: Baseline and Plan. From there, readers will learn how to prioritise the creation of new accountability mechanisms to create an ongoing capacity to comply.
The Manual is based on the Structured Privacy Management Approach, in which ongoing technical and organisational measures are embedded throughout the organisation, resulting in the ability to demonstrate evidence-based accountability and compliance. The approach is founded on three elements: Responsibility, Ownership, and Evidence.
In the Baseline stage, organisations identify any existing measures that are in place for GDPR compliance, and any measures that have yet to be introduced. The organisation then assigns each measure a status of “implemented”, “in progress”, “desired”, or “not applicable”. Each measure is then assessed in accordance with Responsibility, Ownership, and Evidence.
In the Planning stage, any measures that were identified as “desired” are prioritised for implementation. For measures that are already “implemented” and “in progress”, a plan is created to consistently maintain their status, in an ongoing effort to demonstrate compliance.
In each stage, readers are presented with specialised knowledge from the Nymity Privacy Management Accountability Framework™ for GDPR, allowing them to tailor their approach to the legislation. We will discuss the Framework in Part 2 of this blog series.
GDPR Accountability Handbook
The GDPR Accountability Handbook explores the concept of Accountability in greater detail. Similar to the Getting Started Manual, the Handbook uses Nymity’s Privacy Management Accountability Framework™ for GDPR to identify 55 technical and organisational measures that can assist in establishing accountability, and goes a step further by providing real-world examples of policies, procedures, and other mechanisms, as well as example evidence.
By providing a structured approach, the Accountability Handbook enables the Privacy Officer to rest assured that each measure has been addressed. An accountability approach to compliance:
- Generates documentation that can be used as evidence of the organisation’s compliance infrastructure
- Builds a culture of privacy, mitigating risk and maximising compliance
- Embeds risk mitigation processes at the operational level
- Empowers business units to assume responsibility
The itemised nature of the Handbook makes it an easy guide to follow for individuals outside the privacy suite as well, making it an excellent resource to share throughout the business to increase buy-in for compliance efforts across the organisation.
A Framework for GDPR Success
In Part 2 of our series, we will look at the remaining three elements of Nymity’s GDPR Compliance Toolkit, including Nymity’s Privacy Management Accountability Framework™.
To learn more about the Toolkit, click here: