Organizational Accountability
CIPL has a long history of exploring accountability-based information management and privacy governance. As part of our work on enabling innovation while also protecting privacy, we are currently exploring how to further develop and improve the existing concept of accountability to maximize both goals.
|
What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework
This report consolidates the findings of CIPL’s Accountability Mapping Project launched in September 2019, which is part of CIPL’s broader work on the central role of organizational accountability in data privacy.
The main objective of the Report is to promote organizational accountability in data privacy as an essential prerequisite for the 4th Industrial Revolution. CIPL has mapped organizations' real data privacy practices to the CIPL Accountability Framework to provide concrete examples of how to implement effective, demonstrable and enforceable accountability measures through organizations’ privacy management and compliance programs. The Report also includes 46 case studies from the 17 participating organizations from different sectors, geographies and sizes – including two SMEs and a university.
The main objective of the Report is to promote organizational accountability in data privacy as an essential prerequisite for the 4th Industrial Revolution. CIPL has mapped organizations' real data privacy practices to the CIPL Accountability Framework to provide concrete examples of how to implement effective, demonstrable and enforceable accountability measures through organizations’ privacy management and compliance programs. The Report also includes 46 case studies from the 17 participating organizations from different sectors, geographies and sizes – including two SMEs and a university.
If you would like to discuss this paper, learn about CIPL membership or find out how CIPL can help you build or implement a comprehensive Data Privacy Management Program, please contact CIPL President Bojana Bellamy at [email protected] or CIPL's Business Director Michelle Marcoot at [email protected].
Recent CIPL Accountability White Papers and Articles
Cisco-CIPL Report on Business Benefits of Investing in Data Privacy Management Programs
January 10, 2023
CIPL White Paper - Organizational Accountability in Data Protection Enforcement - How Regulators Consider Accountability in their Enforcement Decisions
October 6, 2021
CIPL White Paper - Organizational Accountability in Light of FTC Consent Orders
November 13, 2019
CIPL White Paper - Organizational Accountability - Past, Present and Future
October 30, 2019
CIPL Accountability Paper - Q&A on Organizational Accountability in Data Protection
July 3, 2019
CIPL White Paper - Organizational Accountability - Existence in US Regulatory Compliance and its Relevance for a US Federal Privacy Law
July 3, 2019
CIPL Accountability Discussion Paper 2 - Incentivizing Accountability: How Data Protection Authorities and Law Makers Can Encourage Accountability
July 23, 2018
CIPL Accountability Discussion Paper 1 - The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society
July 23, 2018
CIPL Accountability Discussion Paper Intro - Introducing Two New CIPL Papers on The Central Role of Organizational Accountability in Data Protection
July 23, 2018
January 10, 2023
CIPL White Paper - Organizational Accountability in Data Protection Enforcement - How Regulators Consider Accountability in their Enforcement Decisions
October 6, 2021
CIPL White Paper - Organizational Accountability in Light of FTC Consent Orders
November 13, 2019
CIPL White Paper - Organizational Accountability - Past, Present and Future
October 30, 2019
CIPL Accountability Paper - Q&A on Organizational Accountability in Data Protection
July 3, 2019
CIPL White Paper - Organizational Accountability - Existence in US Regulatory Compliance and its Relevance for a US Federal Privacy Law
July 3, 2019
CIPL Accountability Discussion Paper 2 - Incentivizing Accountability: How Data Protection Authorities and Law Makers Can Encourage Accountability
July 23, 2018
CIPL Accountability Discussion Paper 1 - The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society
July 23, 2018
CIPL Accountability Discussion Paper Intro - Introducing Two New CIPL Papers on The Central Role of Organizational Accountability in Data Protection
July 23, 2018
Accountability-Based Privacy Governance Project (2009-2013)*In its first year (2009), the Accountability Project articulated the essential elements that an organisation must adopt to be accountable. It stated that an organisation demonstrates commitment to accountability, implements data privacy policies linked to recognized external criteria and implements mechanisms to promote responsible decisions about the management and protection of data. Such external criteria include applicable law and regulation, and recognized external guidelines. The Project’s first year established that to be accountable, an organisation should design and implement comprehensive data and privacy protection programmes based on analysis of the risks data use raises for individuals and on responsible decisions about how those risks can be appropriately mitigated.
In its second year (2010), the Project proposed the fundamental conditions that an organisation should put in place and be able to demonstrate to regulators. It further considered how, and under what circumstances, regulators, data protection authorities and their designated agents would measure accountability. The Project anticipated that organisations and regulators must be able to implement and measure the fundamentals in a manner suitable for the organisation, its business model and the way it collects, uses and stores data. In year three (2011), the Project considered accountability as an approach to privacy and data protection required and implemented across the marketplace, and articulated the benefits that would accrue to individuals, the market and organisations as a result. While in such a model all organisation would adopt accountability, the Project identified instances in which an organisation might seek recognition of its accountability. It also described under what circumstances organisations would be required to demonstrate their accountability, and what that demonstration would entail. When the Project continued into its fourth year in 2012, accountability had emerged as a recognized approach to privacy and data protection. The European Commission had proposed a data protection regulation that would apply across European Union member countries and in which accountability played a critical role. The Privacy Commissioners of Alberta and British Columbia in Canada had released a document articulating what data protection authorities would expect of organisations under an accountability approach. The Organisation for Economic Cooperation and Development is considering possible revisions to the Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, among them a more fully developed description of the principle of accountability. The Asia-Pacific Economic Cooperation forum (APEC) finalized its Cross-Border Privacy Rules system, an accountability-based code of conduct for businesses in the APEC region. In light of the evolution of accountability into an accepted, practical approach to privacy and data protection, the Accountability Project set as a goal development of a tool that would assist organisations in evaluating the steps they have taken internally to establish the conditions for accountability and in demonstrating them to data protection authorities or their recognized third-party agents. Phase V of the Accountability Project was carried out in 2013 and focused on the element of risk and how to apply accountability in environments such as the public cloud and mobile. *The Inspector General for Personal Data Protection (GIODO), Poland served as the facilitator of the Project. Project Documents
|
Copyright © 2024 by the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP.
|