In the previous article in this series, we saw how the concept of “accountability” has emerged as a dominant theme in global privacy and data protection law, policy, and organisational practices. Whether it be regulator guidance or legal compliance obligations, it is clear that the accountability principle requires that organisations take a proactive and structured approach to privacy management accountability through the implementation of appropriate and demonstrable privacy and data protection measures. But what is the foundation of this approach and where does one get started?
The Foundation of a Structured Approach to Privacy Management Accountability
Nymity’s research on privacy management accountability1 has leveraged existing definitions of accountability, regulator guidance (such as Privacy Management Programme, A Best Practice guide issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong2; Privacy Management Framework issued by the Office of the Australian Information Commissioner3; and guidance for Data Protection Officers released by the Personal Data Protection Commission Singapore4) and legal obligations (such as under Articles 5 and 24 of the EU General Data Protection Regulation) and has broken the concept down into three elements: 1. responsibility, 2. ownership, and 3. evidence. In addition, Nymity research has shown that responsible organisations do not treat privacy as a project but rather, responsible organisations sufficiently allocate resources to privacy management and continually revaluate their privacy management needs to ensure that the privacy management activities are aligned to keep pace with changes both within and outside the organisation.
In a structured approach to privacy management accountability, responsibility means that appropriate “privacy management activities” have been implemented and are maintained on an ongoing basis. Privacy management activities are ongoing procedures, policies, measures, mechanisms, and other initiatives that impact the processing of personal data or that relate to compliance with privacy and data protection laws.
No two organisation’s privacy management is the same and thus appropriate activities are determined based on the organisation’s compliance requirements, risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.).5
Ownership is the second element of structured privacy management accountability and builds upon the element of responsibility. The concept requires that an individual is answerable for the management and monitoring of each of the privacy management activities. Even if the privacy or data protection officer is accountable for data privacy or compliance, the privacy office itself usually processes very little personal data, if any. As such, the effectiveness of privacy management relies on the appropriate privacy management activities being performed at all points of the personal data life cycle, from the point of collection to the point of destruction. Ownership of some privacy management activities will reside within the operational and business units, for example, human resources, marketing, product development, IT, customer service, etc., as that is where the data is being collected and processed.
Privacy management activities may be:
Maintained by the privacy or data protection officer, for example:
Conduct privacy training
Maintain a data privacy notice that details the organisation’s personal data handling practices
Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.
Influenced or observed by the privacy officer, for example:
Integrate data privacy into direct marketing practices
Integrate data privacy into an information security policy
Conduct due diligence around the data privacy and security posture of potential vendors/processors
The third element of structured privacy management accountability is evidence. In responsible organisations, the owner of a privacy management activity provides supporting evidence that the activity is being maintained. When privacy management activities are performed on an ongoing basis, evidence is produced as a by-product.
Evidence is documentation which may be formal (e.g., policies, procedures, reports) or information (e.g., communication, meeting agendas, and system logs) and can be used with context by the privacy officer to show that a privacy management activity is being performed. For example, the privacy management activity “Maintain PIA/DPIA guidelines and templates ” produces several forms of evidence, including: policies requiring PIAs, procedures and workflows documenting the approval process, PIA guidelines and templates, training documents on how to conduct PIAs, logs of PIAs, etc. This documentation serves as evidence of accountability.
Formal and Informal Documentation
The below tables outlines how formal and informal documentation can be produced, influenced, or collected by the privacy office as evidence of privacy management activities.
Privacy Management Activities
Produced by privacy office
Integrate data privacy into policies/procedures regarding access to employee’s company email accounts
E-mail monitoring policy and procedure
Influenced by privacy office
Produced by Information Technology
Provide notice in marketing communications (e.g. emails, flyers, offers)
Examples of e-mail marketing communications
Influenced by privacy office
Produced by Marketing
Frequency: Privacy Management Activities are Ongoing
Finally, responsible organisations do not treat privacy as a project, although in many cases privacy management may have started as a project. On the contrary, a responsible organisation sufficiently allocates resources to privacy management accountability and continually reevaluates its privacy management needs to ensure that the privacy management activities are aligned.
A privacy management program should never be considered a finished product; it requires ongoing assessment and revision in order to be effective and relevant. The components should be regularly monitored, assessed and updated accordingly to keep pace with changes both within and outside the organisation. This may encompass changes in such areas as technology, business models, law and best practices.
Privacy Management Programme, A Best Practice Guide6
Privacy management is a set of ongoing privacy management activities that are performed either periodically or continuously.
Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end.
Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, wherein adjustments are made continuously toward the desired outcome.
The following table reviews privacy management activities to show how the two approaches for the frequency of activities might differ:
Privacy Management Activity
Maintain flow charts for data flows (e.g. between systems, between processes, between countries)
On an annual basis, require that key stakeholders review the flow charts for accuracy and update the diagrams as necessary
Implement as part of the project management requirements that proposed changes to data flows are identified and the flow charts are updated as a condition of project sign-off
Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
Each quarter, review reports generated by the e-Learning system to determine whether all employees have completed the requirements
Configure the e-Learning system to generate alerts when an employee has not completed the training by the required date and send a message to the employee’s manager suggesting he or she follow up immediately
Engage stakeholders throughout the organisation on data privacy matters (e.g., information security, marketing, etc.)
Establish a cross-functional committee of privacy stakeholders (e.g. IT, Marketing, Legal, HR, etc.) who meet on a quarterly basis to discuss data privacy matters
Create an email alias or group discussion for data privacy stakeholders, to facilitate communication on data privacy matters
Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)
On a monthly basis, review reports of active system users to ensure their access is still appropriate and sign- off to indicate approval
Configure the HR system to send alerts to Information Security when employees are terminated or when there are changes to the job title, department, or reporting structure
Whether the activity should be performed periodically or continuously depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.
In the next and final article in this 3-part series, Ms. Troester-Falk will discuss how organisations demonstrate accountability and compliance through a structured approach to privacy management accountability.
5 To help privacy and data protection officers identify appropriate privacy management activities, Nymity’s Privacy Management Accountability Framework (the result of Nymity’ research on privacy management accountability) is available to the privacy community for free and identifies over 130 privacy management activities that can be monitored and tracked. Available at https://www.nymity.com/data-privacy-resources/privacy-management-framework.aspx
6 Office of the Privacy Commissioner for Personal Data, Hong Kong, Privacy Management Programme A Best Practice Guide, Hong Kong. Management Program 2014, page 3.