Regulations are making organizations increasingly accountable for the data they process and the trend is unlikely to change. GDPR has not only upped the game when it comes to accountability, making organizations pay (literally) for data breaches or for failing to report them – it also created new roles with responsibilities related to privacy ownership within organizations and builds consciousness into the data categories you collect and process.
In the first two parts of our guide; we covered how to prepare and build your data privacy framework, we looked at policies and procedures, and how important they are in defining and enforcing day-to-day privacy compliance.
In this article, Part 3: Accountability, we will cover the varying levels of accountability and why assigning accountability is instrumental in the ongoing management of your data privacy program.
What Do We Mean by Accountability?
In the context of data privacy, accountability takes care of not only making sure there is someone or a group of people who are responsible for data privacy as part of any processing activity, but also to ensure they have the capability to clearly demonstrate compliance with indisputable evidence, such as:
- Documenting privacy policies, procedures, notices, requests, and consents
- Adopting an accepted internal transfer mechanism
- Maintaining a risk registry and asset inventory
- Keeping records of all data processing activities.
General Data Protection Regulation (GDPR), article 5, paragraph 2 defines that: the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
In essence, accountability summarizes all privacy principles described in paragraph 1, ensuring controllers understand their responsibility to enforce those obligations in their data processing practices.
Including accountability, the GDPR sets 7 total principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The Spectrum of Accountability
Accountability might be understood along a spectrum, ranging from basic accountability requirements required by law (such as under the GDPR, PIPEDA, CCPA) to more granular accountability measures that may not be legally required, but that your organizations may decide to implement because it conveys substantial reputational benefits and increases your competitive advantage.
It is precisely demonstrating accountability and assigning ownership where GRC tools add value to any organization willing to implement a strong privacy program. Leadership is a crucial component of accountability and being transparent from top to bottom, supports the desired data governance posture. Executive buy-in will determine whether your organization decides to make data privacy a priority by going above and beyond the legal requirements.
Managing Accountability and Compliance
A typical GRC tool can be used to document and control privacy documentation. It can also be a foundational tool for a robust risk management program, including the execution of data processing impact analysis (DPIA), data privacy assessment (DPA), third party management process, and other essential elements of organizational accountability, including:
- Leadership and oversight
- Competence, training, and awareness
- Monitoring and verification
- Enforcement (of laws, policies, and procedures)
It is essential the Data Protection Officer (DPO) – or however you choose to identify the professional accountable for deploying your privacy principles within your organization – has visibility of the entire program. With the appropriate tool, such as a GRC software, privacy professionals can gain invaluable insight into the inner workings of their privacy program to quickly identify issues and find a resolution. Making informed decisions is a core element of a properly managed privacy program and cannot be done without the proper data or insight.
In the context of data privacy, accountability plays a big role in your privacy program. Processes to ensure policies and procedures are being followed must be implemented, and clearly demonstrating compliance with physical evidence is critical to the strength of your privacy program. While some accountability requirements must be met, there are requirements that exceed what is legally necessary. Satisfying these additional requirements could provide your organization with a competitive advantage and illustrate your company’s position and commitment to data privacy and security. Manage your data privacy program and accountability using GRC software to provide management, stakeholders and clients with complete transparency.
A Guide to Data Privacy and Security
Part 2: Policies and Procedures
>>Part 3: Accountability
Part 5: Supplier Assessment Process
Part 6: Data Processing Agreements
Part 7: Data Categorization and Mapping
Part 8: Privacy Assurance
How Can StandardFusion help?
StandardFusion is a comprehensive GRC software that helps teams manage everything relating to your privacy program and accountability. Within the tool, administrators can assign policies and procedures to individuals, assist with privacy-related product decisions, and monitor regulatory compliance from a single source of truth. StandardFusion’s automated capabilities allow DPOs to extract comprehensive reports for insight into varying aspects of your privacy program, as well as documenting findings as controls that can be used to satisfy requirements and demonstrate traceability. See StandardFusion in action and schedule your demo today!