To demonstrate data privacy compliance is to show that the organisation complies with requirements of a law, regulation, policy, or other commitment such as a privacy notice, framework or code of conduct. Demonstrating compliance through an accountability approach goes beyond a “check-box” exercise showing that compliance requirements are met. It is a proactive approach and enables the organisation to demonstrate how the requirements are met in order to enable an ongoing capacity to comply.
Drivers for demonstrating compliance
There are a number of drivers for organisations to demonstrate compliance including:
1. EU General Data Protection Regulation1
As we discussed in the first article in this series, the need to be accountable and to demonstrate compliance is now codified in in Article 24 of the GDPR which closely links to Article 5 on the data protection principles.
Article 24: Responsibility of the Controller
Taking into account the nature, scope, context, and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing of personal data is performed in accordance with this Regulation.
Article 5: Principles relating to personal data processing
Paragraph 1 outlines the data privacy principles which the processing of personal data must adhere to: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Paragraph 2 states that “the controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (“accountability”).”
2. Cross Border Data Transfer Mechanisms
As transfers of personal data across borders become more complex, many companies opt to enroll in voluntary schemes such as Binding Corporate Rules (BCR), APEC Cross Border Privacy Rules (CBPR), and the EU-US Privacy Shield. The programs vary on acceptable methods for demonstrating compliance but in all cases the organisation must be able to show it is adhering to the commitments.
3. Meeting Regulator expectations
As referenced in part 1, Regulators around the world have published guidance and made it clear that they expect organisations to be prepared to demonstrate compliance. Regulators in Canada, Hong Kong, Colombia, and Australia have published guidance to that effect.2 Having good procedures and policies in place and to be able to explain on what arguments those procedures and policies are based, is vital to demonstrating compliance and will reduce the risk that an organisation is targeted by a data protection authority when they are deciding on new investigations. But even if all the paperwork is in order and regularly updated, human mistakes happen. They happen everywhere and all the time. Regulators understand this. Evidence that an organisation’s “house is in order” and aligned with Regulator expectations reduces the risk of sanction should the Regulator come calling.
4. Enforcement Actions
Regulatory investigation may result in consent orders or settlements that require the organisation to comply with a number of remediating measures. The organisation may be required to demonstrate compliance with the terms of the order or settlement through regular third-party or regulatory audits.
5. Self-Regulatory Codes Self-regulation systems
The European Advertising Standards Alliance (EASA), the Children’s Advertising review Unit (CARU) in the U.S. and other self-regulatory schemes set voluntary rules and standards of practice that go beyond legal obligations. Self-regulatory organisations (“SROs”) are responsible for enforcing industry’s commitment to these rules. In response to complaints from individuals respecting an organisation’s non-compliance with commitments the organisation made in relation to a Code, the organisation must demonstrate compliance with the Code or be subject to sanction mechanisms.
Demonstrating compliance through an Accountability approach versus a Compliance Checklist approach
Accountability requires a good understanding of how you process personal data, on what grounds and under which conditions. Demonstrating compliance means that you should also be able to show evidence of this understanding. It is more than a one off inventory, more than a snapshot of your operations at a certain moment in time. It is not a tick-box exercise. Demonstrating compliance requires on ongoing awareness and understanding of your data processing operations. It is not only the “What?”, but also the “Why?”
As discussed in Part 2 of this series, data privacy accountability is embedded throughout an organisation when there are three components present:
Responsibility: the appropriate privacy management activities have been implemented and are maintained on an ongoing basis.
Ownership: the privacy management activities are embedded throughout the organization (including within each function or business unit that processes personal data).
Evidence: when privacy management activities are being maintained, documentation is produced. That documentation can be used as Evidence of accountability and compliance.
The following example illustrates the difference between an accountability approach and a traditional approach to demonstrating compliance:
Example: Data Breach
In many jurisdictions organisations are required by law to report to regulators and/or notify data subjects in the event of a breach. In order to comply, a breach must have occurred (otherwise it is not possible to report or notify). An organisation can technically be compliant if it waits until it becomes aware of a breach and then reacts accordingly.
However, most organisations understand the risk and impact of a breach and therefore strive to be prepared and therefore accountable. By putting in place appropriate organisational and technical measures such as privacy incident and breach response plans, training employees how to identify a breach and testing plans, organisations can be “accountable” even in the absence of a breach having occurred. The accountable organisation is better prepared to effectively deal with the breach and minimize impact to data subjects and the organisation. For example, an accountable approach to data breach management may include:
Responsibility/Ownership: The privacy office establishes breach response plans, tests the plan, provides employee training, records metrics, and helps to manage the process for reporting and notification. Operational units identify and escalate breaches in accordance with the plan, and assist with response and remediation.
Evidence: data privacy breach response plan, records of testing the plan, data breach logs, data breach reports, data breach metrics, evidence of reporting/notification.
This example illustrates the relationship between an accountability strategy and traditional approach to privacy management and compliance and shows that implementing structured privacy management is a strategic approach and is the best way to enable an ongoing capacity to comply.
Finally, demonstrating privacy compliance is most effective when it is a dialogue rather than a statement of “compliant” or “non-compliant”. Unlike many types of compliance, privacy often requires a contextual understanding, i.e., there is often no simple answer. Effective privacy management relies on the interpretation of requirements, an assessment of risk, and other subjective factors. Providing the right answer may require a dialogue about context. Often the privacy officer is in the best position to articulate the subjective and objective factors influencing decisions and outcomes in the context of:
The rules of privacy law;
The organisation’s business and data processing practices;
How privacy management is embedded throughout the organisation; and
The risk of harm to individuals and the organisation.