While there’s no way to know exactly how the trilogue process is going, there seems to be a general consensus that the final version of the General Data Protection Regulation will bring “accountability” to the forefront of privacy programs everywhere.
While Canada’s PIPEDA law first introduced the term as its first principle of privacy compliance, and accountability frameworks have been a part of Safe Harbor compliance and binding corporate rules for some time, there would seem to be an etched-in-granite nature to “accountability” once the GDPR goes live.
Currently, the word only appears in the Parliament’s draft of the legislation, most notably as the header to Article 22: “Responsibility and Accountability of the Controller.” The Council heads this section as “Obligations of the Controller,” and the original Commission text just reads “Responsibility of the Controller.”
You can see how this process is taking a while.
Regardless, all three drafts include this phrase: “be able to demonstrate.”
In that is the essence of accountability. Not only must data controllers not break the law, they must—all three drafts are in basic agreement—be able to show on demand they are taking active steps to make sure they don’t break the law in the future.
Further, this idea has become embedded in outlook of privacy enforcement regimes from Hong Kong to Japan, Singapore to Colombia.
“Accountability has been perceived as a soft approach to data protection,” said former Colombian DPA José Alejandro Bermúdez from the plenary stage at the 37th Annual International Privacy Conference here in Amsterdam, “but I think that’s a completely mistaken notion. Accountability requires hard work, continuous review and a complete understanding of your data flows.”
Not only are companies the beneficiaries, said José Alejandro, but the DPAs benefit as well. With small staffs and budgets, they need to have a collaborative relationship with privacy industry.
“We have a staff of 35 people and we are responsible for access to information requests and privacy enforcement for 300,000 businesses and 2,900 public agencies,” noted Elizabeth Denham, Information and Privacy Commissioner for Canada’s British Columbia, during a pre-conference workshop organized by Nymity and the Center for Information Policy Leadership. Focusing on accountability means, “if we hear about a breach, instead of going to look at the technical violation, we go in and ask for evidence of a comprehensive approach to privacy management.”
This idea of demonstration is in the proposed GDPR text that was issued by the European Data Protection Supervisor, as well, and that text also calls for periodic accountability reports to document the steps taken to ensure proper data privacy.
In fact, said Christopher Docksey, Director at the EDPS, “Accountability sets a higher standard than compliance … it’s not enough to be subject to rules.”
The good news for privacy professionals? “The best way that we could think of to ensure accountability was to involve the [data protection officer] right at the outset before embarking on processing,” Docksey said. “We can see that there’s a correlation between the expertise of the DPO and the level of compliance. They go together intimately.”
But are companies really doing this? Are CEOs and boards willing to do more than comply with the law in the name of accountability?
Absolutely, said Julie Gibson, global privacy program leader at Proctor & Gamble. “We provide global access to our data,” she noted, by way of example. “In any country, if you have a question about the data we collected, then you can request that, and we do that in every country where we sell products. And it’s in the local language.”
Further, she said, “We vet all vendors in all countries the same way and require them to meet the same requirements. That’s a big challenge. Lots of vendors say they are too small to do what we require of them and we have vendors walk away … They ask, ‘Why are you doing this to me?’”
Merck CPO Hilary Wandall said Merck operates similarly. “We require there to be appointed in every single country a privacy steward for the governance structure,” she said. “And we have an annual certification process where every single senior leader has to certify as to their organizational accountability. If there’s something that’s missing, they need to put an action plan in place.”
Not surprisingly, “accountability” shows up some 30-plus times in the “Privacy Bridges” report that forms the core of the commissioners’ conference here. In fact, Bridge #8 is titled simply, “Accountability,” which identifies the “common elements of elements of enforceable corporate accountability programs.” Ideally, the FTC, Article 29 Working Party and the rest of the world’s regulator groups would coalesce around something like this as a common definition, the Privacy Bridges authors argue.
Already, both sides of the Atlantic seem to agree that accountability-based regimes should have substantive privacy rules that are binding, institutions taking concrete measures to ensure compliance, an external verification mechanism and redress for violations of the rules. The authors then examined FTC consent decrees and the requirements for binding corporate rules and found a number of other common elements, including leadership involvement in program oversight, privacy professionals to assure proper internal corporate implementation and organization-wide training programs.
Core to the success of accountability going forward they write—and you may have seen this coming—is continued development of privacy professionals. Not only must they be trained and certified, but they also need to be provided resources and budget to accomplish the kind of executive and documentation that true accountability requires.
Thus, there results a great deal of consensus between the pending GDPR, the wishes of chief privacy officers working in a global environment with any number of relevant regulations they need to follow and the recommendations of the Privacy Bridges authors.
“Compliance” and “Accountability” would seem to be on a crash course. Companies will have a hard time doing the former without demonstrating the latter.
If you want to comment on this post, you need to login.