Nymity's Regulator Projects: Demonstrating Compliance to Regulators
Demonstrating compliance is an essential part of privacy and data protection laws around the world. What it means to demonstrate compliance, and what kind of evidence should be provided however, has not been clearly defined. The topic has therefore been key for Nymity-funded research for a number of years. Nymity’s research has led to the creation of several tools and documents readily available for the privacy community on assisting the Privacy Officer or Data Protection Officer (DPO), and helping them to understand why structured privacy management is the best way to achieve accountability.
With the General Data Protection Regulation (GDPR) in sight, Nymity has launched its next research projects: Demonstrating Compliance to Regulators, Based on a Rule of Law and The Possible Introduction of a New Certification Mechanism Tied to a Rule of Law. The outcomes of this project will be relevant for both organisations and regulators. During the course of these two research projects (“Regulator Projects”) we will cooperate with data protection authorities and data controllers in order to test our ideas. The GDPR is the driver for the research and will be the main example used throughout the Regulator Projects. As has been the custom for all of Nymity’s previous research, the outcomes of the projects will be jurisdiction-neutral and thus, can be applied around the world.
During the projects, Nymity intends to organise various workshops and other events as part of the discussion with regulators and organisations on expectations and demands for demonstrating compliance and applying for certification. In addition, a selected number of organisations will be asked to participate in the project through a benchmark exercise, providing insight into their preparations for the GDPR over time. The data generated from this exercise will allow us to gain an empirical understanding of what organisations consider ‘appropriate’ technical and organisational measures for their EU operations.
The results of the research will be published in the following papers:
- Paper 2016-A: January 2016 – the Marrakech edition (Available Now)
- Paper 2017-A: September 2017, ahead of the 39th ICDPPC in Hong Kong (Available Now)
- Paper 2017-B: January 2018, ahead of CPDP in Brussels
- Paper 2018-A: September 2018, ahead of the 40th ICDPPC
How can your Organisation Participate and what are the Benefits?
The first part of this research project involves Nymity analysing the aggregate benchmarking data of participating organisations. To gather this data, Nymity will provide access to the Nymity Benchmarks™ tool at no cost to participants. Each participating organisation will access the tool online and will baseline their EU privacy management program. Participants will be able to download charts and reports comparing the status of privacy management to other organisations. Participants will also receive a report that will be generated from the analysis of the aggregated benchmarking data. Please note that the data will remain 100% confidential.
If you are interested in participating, please contact Nymity at firstname.lastname@example.org and indicate in the subject line: Nymity Regulator Research Project.
DEMONSTRATING COMPLIANCE TO REGULATORS - PART II: FROM THEORY TO PRACTICE
Nymity hosted event at the The 39th International Data Protection and Privacy Commissioners Conference.
During this 2017 CPDP Conference: Demonstrating Compliance as the Basis for Certification, the speakers discussed how a structured approach to privacy management helps to demonstrate compliance to the law. A key component of the discussion will be if such an approach can form the basis of an Article 42 GDPR certification.
Paul Breitbarth, Nymity (NL), Valérie Bourriquen, CNIL (FR), Gemma Farmer, Information Commissioner's Office (UK), Irene Kamara, TILT (NL)