Over the past decade, we have witnessed the gradual rise of “organizational accountability” in global privacy and data protection law and practice. Privacy regulators increasingly expect it from their regulated organizations, and it’s fair to say that many modern privacy laws now explicitly require it. CIPL has been engaged pretty much from the beginning both in helping to define what this concept actually means in practice and in socializing this important concept globally. We have urged regulators and law and policymakers to promote and incentivize the uptake of accountability, and we have pushed organizations around the world to implement and operationalize it. Why? Because accountability, and only accountability – properly understood, can deliver effective privacy protections for individuals and, at the same time, enable the wide range of beneficial data uses that are indispensable to an increasingly digital world. Accountability enables organizations to comply with privacy laws around the world, supports organizational data strategies, sustainability data uses and digital transformation, and is the foundation for public trust in the digital society.  

In a nutshell, organizational accountability requires organizations to have measures and tools in place that operationalize applicable legal requirements and to be able to demonstrate them on request, say to a data protection authority, business partner or investor. An even shorter way of explaining it is that accountability requires organizations to have demonstrable comprehensive privacy management and compliance programs. But exactly what these programs should entail and look like has, so far, eluded not only global consensus amongst regulators, but also many organizations that are keen on implementing this core data protection requirement properly and effectively. 

To assist on both fronts, CIPL embarked on a data privacy accountability mapping project in the middle of last year. Over a period of several months we worked with 17 leading organisations with mature privacy programs in different sectors to explore and assess the ways in which they infuse accountability into their corporate DNA. The outcome of this exercise was our newly published report on “What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework”. The overarching objectives of the Report were to:

• provide concrete evidence and success stories from organizations on how they implement, demonstrate and enforce accountability; 
• promote accountability as a board-level and business strategy issue that includes but also goes beyond mere legal compliance; and 
• build global consensus between industry and regulators on the elements of accountability.

We started this project by mapping the specific accountability measures and tools included in the participating organizations’ privacy management programs against the CIPL Accountability Framework (see image below), which sets forth seven core elements of accountability. We have long since argued that to be comprehensive and effective, data privacy management programs must include demonstrable processes, measures and tools to address each of these core elements. We are not alone. Commissioner Wilson of the U.S. Federal Trade Commission recently endorsed the CIPL Accountability Framework in a keynote speech at the Privacy + Security Academy:​

​Our accountability mapping project did just that. It looked at leading organizations’ privacy programs in light of the seven elements of CIPL’s “accountability wheel.” In addition to collecting a plethora of concrete examples of how organizations effectively operationalize accountability through specific measures, the Report also identifies ten common trends within accountable organizations:

1. Accountable organizations view accountability as a journey and internal change management process to embed data privacy in the company’s DNA, rather than a one-moment-in-time checkbox compliance exercise.
2. Organizations consider the CIPL Accountability Framework as an ideal architecture to build, organize, measure and communicate an effective data privacy management program that translates legal requirements into actionable controls.
3. Accountable organizations and their privacy officers and senior leaders recognize accountability as a business topic and driver, enabling responsible innovation and business sustainability.
4. Organizations report that accountability results in business benefits and efficiencies by reducing delays in sales, reducing the number and cost of data breaches, scaling compliance activities and improving overall operational efficiencies.
5. Data processors are also strongly embracing accountability, as it enables them to differentiate in the marketplace and build trust in the digital supply chain with clients who are looking for accountable business partners to fulfil their own obligations.
6. Senior leaders recognize the importance of “tone from the top” and leading by example to drive internal cultural change towards accountability in data protection.
7. Accountability is sector agnostic and scalable, as it can be implemented by organizations of all types, sizes, sectors (including the public sector), geographical footprints and varying corporate cultures.
8. Accountable organizations proactively manage privacy risks to individuals and adopt a risk-based approach to their data privacy management programs.
9. Senior management and boards are familiar with accountability frameworks, as they are also used in other compliance areas such as anticorruption, anti-money laundering, competition law, export controls and information security.
10. Accountable organizations are driving global convergence in data privacy laws and best practices, which is also helpful for national regulators around the globe who are able to align their views and expectations of data privacy compliance activities.

We encourage all public and private sector organizations that may be asking themselves what a good privacy management and compliance program should look like to read our report. Our findings shed light on some important questions that many senior leaders and privacy officers are asking today. How do we build and implement accountability into our business and organizational culture? How do we operationalize legal norms into risk-based controls, policies and procedures? How do we demonstrate accountability to our boards, shareholders, regulators, business partners, oversight bodies and the public? What is the role of privacy officers in organizations and where should they be positioned? What are key transparency best practices? 

In the end, implementing organizational accountability requires two things: one, a comprehensive and holistic approach to address all organizational operations that touch personal data; and two, a lot of creativity and attention to practical details. We are sure that the Report will be able to inspire and guide many of you on both of these, regardless of how far along your organization is on its accountability journey.

In the pressing global fight against Covid-19, technological and AI solutions, involving massive tracking and data analytics, have brought into sharp focus public concern over our fundamental right to privacy. Some have even asked whether privacy will be the victim of Covid-19. And, some have pointed out that our fundamental right to life must trump our right to privacy. 

However, most of us want and expect both. Most of us agree that data driven analysis and decisions, as well as data sharing among industry and governments, are indispensable in fighting Covid-19 and future pandemics—whether to anticipate the virus’ spread and peak; to test new medications or forecast the need for hospitals, medical staff and equipment; to understand people’s social interactions and likelihood of contamination; to verify that quarantine and social distancing measures are observed; or to enable those who have recovered from the virus to resume their work, life and other freedoms for the benefit of us all. And, we also agree that privacy is foundational to our democracies and must be protected now and in the post-Covid world. So, how can we have both—socially responsible collective action and privacy? The answers lie in organizational accountability.

Organizational accountability is an emerging concept in data protection and privacy regimes globally. It requires companies and the public sector to implement effective privacy and data management programs, measures, processes and tools and be able to demonstrate these to regulators, shareholders, business partners, and the public. It complements compliance with existing privacy laws, which may vary from country to country, and operationalizes applicable legal requirements. Accountability also goes beyond compliance and creates openness around decision-making processes for data use and sharing, thereby generating public trust. This concept has been increasingly embraced by industry and public sector bodies around the world. Organizations have been appointing Chief Privacy Officers; establishing internal governance and oversight procedures; carrying out privacy impact assessments that balance risks to individuals and benefits of data uses; delivering user-centric transparency; training their staff about data privacy and ethics; imposing restrictions on service providers, business and government partners when using their data; implementing security measures and technologies; responding to complaints and individuals exercising their rights to know about data uses or delete data. And yes, they have also had to deal in an accountable and cooperative manner with regulators when things went wrong and they suffered security breaches. These accountability-based privacy programs deliver robust controls and protections for individuals and their data, while also enabling responsible data use and sharing, which is so essential for the growth of our digital society and economy. All industry sectors, from high tech to healthcare and telecom, are looking to organizational accountability as the mechanism to bridge the dual imperatives of privacy and innovative data use. 

The fight against Covid-19 is a perfect case study for how accountability can enable both of these goals. Organizational accountability empowers organizations to react quickly and robustly at a time of crisis without sacrificing privacy protections, or the ability to do what is necessary and right for our collective wellbeing. When accountability measures are properly implemented, communicated and enforced, there is no better way to address not only legal privacy obligations, but also societal skepticism, distrust, and fear of unbounded surveillance and abusive data practices. This is especially true where speed is of the essence, frameworks for responsible data sharing have not yet been developed, the need for clear and practical controls is mounting and regulators are scrambling to provide their own views on using data in the context of pandemics.

So, what are the basic accountability measures that organizations of all types, including companies, governments, research and academic institutions, can agree on and implement immediately to address data privacy concerns and enable responsible collection, use and sharing of personal data in the fight against Covid-19?

(1) Clearly defined and documented purposes of data use: Each proposed project must define clear objectives to set the boundaries of what can and should be done with the data and for what purposes. The proposed data purposes should be supported by evidence that data use actually addresses a particular need.

(2) Proportionality test: The amount, manner and duration of data processing must be relevant, necessary and proportionate to the desired objectives. The organizations must be able to answer and document the following considerations: (1) Can we achieve the same objective with less data, or by using aggregated or fully anonymized data that does not identify any individuals? (2) Is the data processing we are proposing a proportionate response for the goal we are trying to achieve? And if not, what do we need to change and do to make it proportionate? 

(3) Privacy impact assessment: Organizations must assess the level of risk of data use or sharing and the potential impact on rights and freedoms of individuals for each project. Risk may be higher if a project involves sharing of health or geolocation data. In that case, what specific mitigation measures should be put in place to address this heightened risk? The assessments must also include an assessment of identified risks against benefits of data use and, especially, the reticence risk. There may be great costs for not using data-driven technology in crisis contexts, even to our other fundamental rights, including life, health and movement.

(4) Transparency to individuals: Individuals whose data is being collected, shared and used must be given user-friendly information about the project and the uses of their data. This can also include information about controls implemented to address any data privacy risks and anything else that would build their trust in and acceptance of the project, such as where to address questions and requests to exercise data protection rights.

(5) Robust security: Security is one of the cornerstones of data privacy. It must be maximized in the Covid-19 context to avoid unauthorized access to sensitive data, tampering with machine learning algorithms that may be used to forecast the need for hospitals, medical staff and equipment, make diagnoses or anticipate the hacking of critical IT systems. 

(6) Storage and use limitation: Data processing undertaken in the Covid-19 context to predict virus peak levels or to understand people’s interaction and likelihood of contamination, must be conducted under clearly limited time frames. Once the purpose of processing is fulfilled, data should not be stored and used any more for another new objective that is unrelated to the original purpose. 

(7) Roles, responsibilities and training: All staff, contractors and third parties working on the project must be clear on their roles and responsibilities in delivering accountability measures and ensuring privacy protection. Organizations must provide everybody with role based training and set expectations for acceptable behaviors.

(8) Data sharing agreements and protocols: Organizations sharing information must define their respective rights and obligations and specific controls relating to data use in a legally binding instrument. The protocols must include oversight and review mechanisms to escalate any issues and ensure all parties act in accordance with the agreement.

(9) Trust, but verify: Organizations must conduct assessments and audits, and verify that they are implementing all the requirements, controls and accountability measures specified in the project and any third party agreements. 

(10) Internal oversight and external validation: The more complex and high risk the data use/sharing project is, the greater the need to ensure internal top management and Chief Privacy Officer oversight and clear accountability of leadership in the organizations. This may also involve some forms of external validation, with external ethics or data advisory councils, or data review boards where these are already in place. 

(11) Regulatory engagement and validation: Organizations must be prepared to demonstrate accountability measures and seek feedback on the project from data privacy regulators. This can be either in the planning phases, or post-facto, on request, or in the case of a complaint or another issue. Constructive engagement between organizations and regulators is especially crucial in the Covid-19 climate where new and unforeseen uses of data are becoming essential for protecting the public. By discussing and navigating relevant challenges together, organizations and regulators can achieve necessary and quick outcomes that comply with applicable requirements and generate public trust. Such efforts will also set data privacy regulators up to establish a unified approach to regulating data in emergencies for the future.

(12) Privacy-by-design through technical measures: Organizations must consider how technical measures can help ensure privacy-by-design in new data projects. For example, differential privacy, anonymization and federated learning can be useful techniques when deploying AI and machine learning applications.

By implementing the above measures, both the public and private sectors will ensure digital responsibility, enabling data innovation and delivering effective privacy protection. Public authorities, in particular, have a leading role to play in applying accountable practices in the Covid-19 context. Data often travels between the public and private sectors and it is critical that governments refrain from any practice that could jeopardize trust in technology and the digital economy to help solve this crisis. When requesting access to or sharing of data from the private sector, governments must implement all appropriate accountability measures and protections we discuss above. In particular, their requests must be based on a statutory or other legally permissible requirement and their use of data strictly limited for the purpose of a specific Covid-19 initiative. 

Individuals, industry, academics, public authorities and society at large—we are all engaged in the same battle against the coronavirus. Our key advantage over previous pandemics is technology and data, which have armed us with new and effective resources against the virus’ destructive potential. We must use them to the fullest. In times of danger, individual privacy cannot trump our social responsibility towards others. Nor should the common good have to trump privacy. Accountability enables us to enjoy both and to have our privacy cake and eat it together.

Click here to download this article.