Accountability and Demonstrating Compliance Under the GDPR: Two Case Studies
The accountability principle in Article 5 of the GDPR requires organisations to demonstrate compliance with all principles of the legislation. Article 24 sets out how organisations do this, by requiring that they implement appropriate technical and organisational measures.
But what does that mean?
In short, accountability is the “what” and the “why”. Article 24 basically ensures that your organisation is aware of which data processing operations are taking place, and what are the underlying decisions that have been made regarding those operations. For this reason, accountability is an ongoing exercise, that must be customized according to each organisation’s unique processes. For more information on the accountability principle, read our previous posts on the topic.
Blue Ocean Enterprises and MoneyGram International: Real Life Examples
Given the complex nature of the GDPR compliance and accountability obligations, it is helpful to look at real-life examples of how peer organisations are handling their compliance efforts. In our most recent webinar, we spoke with Alexys Carleton, Director of IA and Privacy at Blue Ocean Enterprises, as well as Deb Shita, Global Privacy Program Manager for MoneyGram International. We asked these experts a series of questions about their organisation’s journey.
Question 1: The first prong of a structured approach to privacy management is responsibility. How did you identify the specific responsibilities (privacy management activities/technical and organisational measures) that would be required for demonstrating GDPR compliance?
Blue Ocean utilised the Nymity GDPR Accountability Handbook to baseline their program. Alexys had a great deal of internal knowledge, which allowed her to answer many of the questions on her own. Line by line, she examined each measure to determine whether it was complete.
MoneyGram hired a third party to conduct a gap analysis, having determined that they needed a set of “fresh eyes” to give an accurate assessment of the state of their program. Because their organisation was quite mature, they used an ad hoc, maturity model to baseline.
Question 2: What approach did you take in order to prioritise the list of responsibilities?
Blue Ocean took a project management approach. This began by working with various teams to group the technical and organisational measures that were not complete into internal project names. From there, they determined the resource availability for each project. Some measures needed to be completed first in order for others to be tackled, which naturally created a “road map” for the future.
MoneyGram used a privacy maturity model, in which they “ad hoc” identified the “must haves”, “enhancements”, and “future considerations”, checking items off as they went along.
Question 3: A structured approach involves not only the tasks (responsibilities), but also identifying owners who can maintain the tasks over time to demonstrate ongoing compliance. How did you identify owners?
The GDPR Compliance Project team took on the bulk of the responsibility for all tasks, because they had the most specialised knowledge on the topic. Beneath this layer, however, within each of the business units, a key person was assigned to each task. These individuals made up the “operating committee”. This group met once a week to discuss the progress of their projects.
Question 4: The third prong of a structured approach is evidence, which is tied to both the task (responsibility), and the owner. What were the deliverables from some of the projects or tasks you worked on?
Blue Ocean created a number of “conversation starter” documents that represented a short form version of the documentation that the privacy office would need to fill out. Each team had a document specific to their needs, that required them to fill in details every time a business process change occurred. Through this process, they discovered that much of the data gained from the business units could be repurposed for the records of processing.
Question 5: If you were starting today, what would you do now? What would you advise others on where to start?
Blue Ocean would suggest that if you are just getting started, look at what are your highest risks areas e.g. possibility of a data breach. From there, map processes around the risks, and prioritize accordingly. They would also allow ample time to achieve compliance in critical areas, as it is an arduous and ongoing process.
For consumer-facing organisations, taking a risk-based approach centred on the rights of the subjects would be the most beneficial. MoneyGram suggests beginning by prioritising the rights of data subjects, and make sure to a process for data requests in place first.
You may also like:
From Privacy Project to Privacy Program: Learn How GM, Coca-Cola European Partners and Otter Products Leverage GDPR Initiatives to Comply with the CCPA and More
To comply with obligations under the GDPR (and the 700+ other global privacy laws), it is best to take an accountability...
Tracking The GDPR: How to Keep Up with National Law Developments 2018, Q3 2018
To assist organisations in their ongoing GDPR compliance journey, we held the second in our series of webinars on tracki...