How to Get Started and Demonstrate Compliance through an Accountability Approach: A Three Part Series
Part 1: What is Accountability as a Privacy and Data Protection Principle?
In 1980, the original OECD Guidelines introduced the accountability principle. Twenty-five years later, it was also addressed in the 2005 APEC Privacy Framework. Following the revisions to the OECD Guidelines in 2013, accountability emerged as a dominant theme in global privacy and data protection law, policy, and organizational practicesToday, accountability is considered fundamental to privacy management and in fact, it is codified as a legal compliance obligation under the EU General Data Protection Regulation (GDPR) in Articles 5 and 24.
In this three-part blog series, we’re going to be examining the concept of accountability as a privacy and data principle, explaining how to “get started” with a structured approach to privacy management, and finally sharing how to demonstrate compliance through an accountability approach to privacy management.
The Paradigm Shift to Accountability
Earlier mentions of accountability in the OECD Guidelines centred on the idea that data controllers should be accountable for complying with measures which give effect to the other data protection principles (for instance, Collection Limitation and Purpose Specification). At that time, accountability for complying with privacy and data protection remained with the data controller, even in situations involving onward transfers (where the processing was carried out by a third-party).
In 2013, the revised OECD Guidelines reserved the original accountability principle, but a critical new element was added regarding implementation. The revised OECD guidelines state that data controllers should:
- have in place a privacy management program (PMP);
- be prepared to demonstrate their PMP as appropriate, in particular at the request of a competent privacy enforcement authority; and
- notify significant security breaches to enforcement or other relevant authorities, as well as affected data subjects where the breach is likely to adversely affect data subjects.
The PMP is required to be tailored to the structure, scale, volume, and sensitivity of the controller’s operations. It needs to be integrated into the controller’s governance structure, and routinely reviewed and updated.
PMP’s have several essential elements, including:
- Appropriate safeguards based on privacy risk assessments
- Mechanisms ensuring that third parties maintain appropriate safeguards when processing data on behalf of the controller
- Plans for responding to incidents
- Inquiries and internal oversight mechanisms
The Processor must keep a record of activities carried out on behalf of the controller. This should include:
- Name and contact details of the processor, controller, and where applicable, the controller or processor’s representative, and the DPO
- Categories of processing carried out on behalf of the controller
- Overview of third country data transfers (if applicable)
- Technical and organisational security measures (if applicable)
Accountability in the GDPR and Beyond
As mentioned above, the GDPR references accountability and demonstrating compliance in Articles 5 and 24. Similarly, many national privacy and data protection regulators have published guidance on their expectations with regard to responsible data privacy program management.
Today’s emphasis on accountability requires organizations to take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures.
How do I get started?
The question then becomes: How can my organization begin implementing an accountability strategy for privacy management? At Nymity, our research has shown that the best first step is what we call the “structured approach” to privacy management. In part 2 of this 3-part blog series, we will explain how to get started.
In the meantime, we have a number of free resources to help you assess and plan for GDPR compliance.