In a nutshell, organizational accountability requires organizations to have measures and tools in place that operationalize applicable legal requirements and to be able to demonstrate them on request, say to a data protection authority, business partner or investor. An even shorter way of explaining it is that accountability requires organizations to have demonstrable comprehensive privacy management and compliance programs. But exactly what these programs should entail and look like has, so far, eluded not only global consensus amongst regulators, but also many organizations that are keen on implementing this core data protection requirement properly and effectively.
To assist on both fronts, CIPL embarked on a data privacy accountability mapping project in the middle of last year. Over a period of several months we worked with 17 leading organisations with mature privacy programs in different sectors to explore and assess the ways in which they infuse accountability into their corporate DNA. The outcome of this exercise was our newly published report on “What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework”. The overarching objectives of the Report were to:
- provide concrete evidence and success stories from organizations on how they implement, demonstrate and enforce accountability;
- promote accountability as a board-level and business strategy issue that includes but also goes beyond mere legal compliance; and
- build global consensus between industry and regulators on the elements of accountability.
We started this project by mapping the specific accountability measures and tools included in the participating organizations’ privacy management programs against the CIPL Accountability Framework (see image below), which sets forth seven core elements of accountability. We have long since argued that to be comprehensive and effective, data privacy management programs must include demonstrable processes, measures and tools to address each of these core elements. We are not alone. Commissioner Wilson of the U.S. Federal Trade Commission recently endorsed the CIPL Accountability Framework in a keynote speech at the Privacy + Security Academy:
“One privacy best practice that is particularly relevant now is accountability. The Center for Information Policy Leadership (CIPL), which operates here and internationally, has produced several white papers detailing privacy best practices that focus on accountability. In particular, CIPL’s July 2018 discussion paper, The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society, includes an accountability wheel that provides an excellent visual framework for businesses to design privacy programs . . . . I recommend that companies evaluate their privacy programs in light of these elements, considering carefully each of these areas.”
- Accountable organizations view accountability as a journey and internal change management process to embed data privacy in the company’s DNA, rather than a one-moment-in-time checkbox compliance exercise.
- Organizations consider the CIPL Accountability Framework as an ideal architecture to build, organize, measure and communicate an effective data privacy management program that translates legal requirements into actionable controls.
- Accountable organizations and their privacy officers and senior leaders recognize accountability as a business topic and driver, enabling responsible innovation and business sustainability.
- Organizations report that accountability results in business benefits and efficiencies by reducing delays in sales, reducing the number and cost of data breaches, scaling compliance activities and improving overall operational efficiencies.
- Data processors are also strongly embracing accountability, as it enables them to differentiate in the marketplace and build trust in the digital supply chain with clients who are looking for accountable business partners to fulfil their own obligations.
- Senior leaders recognize the importance of “tone from the top” and leading by example to drive internal cultural change towards accountability in data protection.
- Accountability is sector agnostic and scalable, as it can be implemented by organizations of all types, sizes, sectors (including the public sector), geographical footprints and varying corporate cultures.
- Accountable organizations proactively manage privacy risks to individuals and adopt a risk-based approach to their data privacy management programs.
- Senior management and boards are familiar with accountability frameworks, as they are also used in other compliance areas such as anticorruption, anti-money laundering, competition law, export controls and information security.
- Accountable organizations are driving global convergence in data privacy laws and best practices, which is also helpful for national regulators around the globe who are able to align their views and expectations of data privacy compliance activities.
We encourage all public and private sector organizations that may be asking themselves what a good privacy management and compliance program should look like to read our report. Our findings shed light on some important questions that many senior leaders and privacy officers are asking today. How do we build and implement accountability into our business and organizational culture? How do we operationalize legal norms into risk-based controls, policies and procedures? How do we demonstrate accountability to our boards, shareholders, regulators, business partners, oversight bodies and the public? What is the role of privacy officers in organizations and where should they be positioned? What are key transparency best practices?
In the end, implementing organizational accountability requires two things: one, a comprehensive and holistic approach to address all organizational operations that touch personal data; and two, a lot of creativity and attention to practical details. We are sure that the Report will be able to inspire and guide many of you on both of these, regardless of how far along your organization is on its accountability journey.