To demonstrate data privacy compliance is to show that the organization complies with requirements of a law, regulation, policy, or other commitments such as a privacy notice or code of conduct (“Rule Source”). This manual will introduce the accountability approach to demonstrating compliance, and provide detailed instructions for how to implement this approach. Demonstrating compliance through an accountability approach goes a step further than simply showing that compliance requirements have been met, it enables the organization to demonstrate how the requirements are met, and it shows that there is structured privacy management in place to enable ongoing compliance.
For several years, Nymity has conducted formal research and observed privacy management programs in organizations across the world, of various sizes, and in every sector. Much of our research on privacy management has focused on measuring and reporting on the status of data privacy accountability and compliance. We have spoken with Privacy Officers, Policy Makers and Regulators to identify the critical success factors for demonstrating compliance. A key outcome of this research is that among several approaches, the most effective, structured, and scalable approach is for the privacy office to use an accountability approach to demonstrate compliance.
Effective privacy management relies on the interpretation of requirements, an assessment of risk, and other subjective factors. That isn’t to say there is no right answer; there is a right answer, however, providing it requires a dialogue about context. Nymity’s research has found that the best way to demonstrate compliance is for the Privacy Officer to articulate the subjective and objective factors influencing decisions and outcomes. The Privacy Officer is in the best position to understand and be able to articulate compliance in the context of:
- The rules of privacy law;
- The organization’s business and data processing practices;
- How privacy management is embedded throughout the organization; and
- The risk of harm to individuals and the organization.
This manual details how a privacy office can demonstrate compliance by contextualizing evidence to Rules. It also provides guidance for effectively gathering evidence and reporting quantitative metrics using a Microsoft Excel® spreadsheet called the Nymity Data Privacy Accountability Scorecard™.
Demonstrating Compliance Manual
This manual will introduce the accountability approach to demonstrating compliance, and provides detailed instructions for how to implement this approach. Demonstrating compliance through an accountability approach goes a step further than simply showing that compliance requirements have been met.
Leverage Existing Documentation
Processing personal data responsibly takes place throughout the organization and many organizations were doing so long before the establishment of the privacy office.
Implemented by the privacy office: the privacy office is directly responsible for performing the activity;
Influenced by the privacy office: in some cases, the privacy office supports other parts of the organization in embedding privacy into operational practices; or
Independent of the privacy office: the activity may be performed entirely within another part of the organization, and the privacy office observes with limited influence.
Nymity Data Privacy Accountability Scorecard™
The Nymity Data Privacy Accountability Scorecard (“Accountability Scorecard”) is a scalable, evidence-based framework that allows organizations to:
Monitor and measure privacy management activities
Assign appropriate ownership
Produce supporting evidence
The Accountability Scorecard is a scalable, evidence-based framework that allows organizations to demonstrate compliance and accountability for data privacy.