OneTrust_Square Banner_300x250_DD_ROS_01_19


The IAPP is pleased to bring you this interview with Terry McQuay, CIPP, CIPP/C, CIPP/E, CIPP/G, president of Nymity.

IAPP: How does Nymity describe privacy accountability?  

McQuay: Nymity views privacy accountability as an organization being responsible for privacy by implementing an effective privacy program, maintaining compliance and being able to demonstrate they are doing both. In other words, an organization must be responsible for personal information and be able to “account for it” within the organization and when it flows to business partners (vendors and service providers) by being able to demonstrate the status of their privacy program to internal stakeholders such as senior management and, if desired (or required), to external stakeholders such as regulators, commissioners, data protection authorities, attorneys general and business partners.

IAPP: How do the privacy principles fit this perspective?

McQuay: The accountability privacy principle was first introduced in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980. It states that a “data controller should be accountable for complying with measures which give effect to the principles stated above,” referring to the privacy principles in the guideline. This makes the organization that collects the personal data responsible for the data while it or its agents have control or custody of the data.  

At Nymity, we have operationalized the accountability principle since our beginning in 2002. Nymity’s team of privacy experts conducts its research using the Canadian Standards Association’s accountability privacy principle, which is included in Canada’s private-sector privacy law. This principle is more definitive than the OECD’s. One of the requirements is that the organization must designate an individual or individuals to be accountable for compliance with the principles. This shifts accountability to the individual(s) in the organization, which we generally refer to as the privacy office. At Nymity we see it’s the role and responsibility of the privacy office to demonstrate that the organization is being accountable.

Since the Canadian CSA’s accountability principle in 1995, there has been an accountability principle included in the APEC Privacy Framework, the Organization of American States Protection of Personal Data Recommendations and in the International Standards on Privacy Protection.


IAPP: Since an accountability principle from a privacy perspective has been around for a long time, why is there now a renewed look at accountability?

McQuay: The attention to accountability started about three years ago, led by Marty Abrams and the Centre for Information Policy Leadership. The centre saw a need for an added focus for data protection as consumers now have access to an unprecedented array of products, resources and services using personal information due to significant innovations in technology; rapid increases in data collection, analysis and use, and an unprecedented global flow of this information. Notice and choice alone in this increasingly complex environment were clearly no longer working as privacy principles and mechanisms. They placed an undue burden on the consumer, who clearly did not have the ability to fully understand what they were consenting to. The centre saw accountability as a way of ensuring the responsibility for data protection remains with the organization that benefits from the consumer’s data. It believes accountability formalizes the focus of privacy governance by focusing on an organization’s ability to demonstrate its capacity to achieve specified privacy objectives. The centre has a three-phased approach to the accountability discussion:

Phase 1: The centre started with a consensus whitepaper to inform the creation of better business practices and encourage responsible privacy governance. The paper is called “Data Protection Accountability: The Essential Elements - A Document for Discussion October 2009,” often referred to as the Galway project.

Phase II: On October 26, 2010, the centre released "Demonstrating and Measuring Accountability, Accountability Phase II - The Paris Project.” This paper continued the discussion as it addresses concepts, principles, methodologies and techniques that could apply across legal frameworks and cultural orientations.

Phase III of the Accountability Project will be facilitated by the Spanish Data Protection Agency in 2011. It will produce the final paper “Accountability Phase III – The Madrid Project Session on Validation.” The paper is expected this fall.

I should note that Nymity is a member of the Centre for Information Policy Leadership (CIPL). At Nymity, we see the value we can provide is to assist organizations with being accountable, or, in other words, Nymity’s focus is on implementation and, of course, Nymity’s approach to accountability is consistent and complementary to the work done at the centre.

IAPP: What are the organizational drivers for accountability?

McQuay: As Nymity sees it, there are three main drivers and benefits to being accountable.

Consumers /Business Partners

With the advances in new technologies that collect personal information, such as mobile devices, and the advances in use of individual’s data, such as behavioral advertising, the current model of notice and choice (a consent-based model) is no longer sufficient. Many consumers do not understand the notices and organizations do not have effective mechanisms to provide notice in the new digital world. Accountability ensures the responsibility for data protection remains with the organization, to indeed be compliant with their regulations and company notices.

In today’s world it takes a group of companies, Business Partners (vendors and service providers) to deliver the unprecedented array of new products and services. Often these Business Partners span the world, creating a global flow of personal data. Accountability ensures the responsibility for data protection flows with the data from Business Partner to Business Partner and jurisdiction to jurisdiction. Naturally, an organization wants a mechanism to ensure their Business Partner is accountable and wants a cost-effective mechanism, when they are indeed the Business Partner to demonstrate their accountability to their clients.

Senior Management

Data protection is now often a regular part of the board of directors’ agenda. The board wants to know the state of compliance as part of their fiduciary and risk-management duties. Being able to demonstrate accountability up through the privacy office to senior management on to the board becomes that vehicle. Cost is also a driver. Early studies are showing that organizations that are able to demonstrate accountability have fewer security breaches and brand-impacting incidents, and their overall compliance and incident-management costs are lower, according to the Ponemon Institute.

Some organizations also see accountability as a comprehensive way consolidate a multitude of privacy compliance requirements from many jurisdictions—including laws that sometimes conflict—as they focus their attention on creating and maintaining an effective privacy program. This results in a high standard of data protection that strives to encompass all compliance requirements without the need to address every specific rule. It also reduces the risks on non-compliance and demonstrates due-diligence should an event occur.

Some organizations are taking steps to prepare for requests from enforcement authorities, either because of previous interaction, an enforcement action or consent decree, as a risk management strategy to reduce the probability of strong enforcement actions or for a possible regulatory requirement to demonstrate accountability to an enforcement authority.


Regulators, DPAs and commissioners look to demonstrate accountability as a means to increase overall data protection compliance in a cost-effective manner. If they were to receive some form of demonstration of accountability from organizations, either regularly or on demand, they would have a low-cost method to survey more organizations, risk-rank the results and leverage their few resources on higher risk organizations.

IAPP: What is taking place in the legislative and regulatory community from an accountability perspective?

McQuay: There is activity in most regions of the world related to accountability. Here are a few examples:

The European Union is looking to make changes to the EU Data Protection Directive or issue a regulation—or some combination therein—and one of the proposed amendments is an new article that is referred to as the “accountability principle.” This amendment is compelling, as it states, “b) The  controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.”

In the United States, privacy is very active right now, with several privacy bills at both the federal and state level. Plus, in December, the Federal Trade Commission issued the Protecting Consumer Privacy in an Era of Rapid Change staff report and the Department of Commerce (DOC) Internet Policy Task Force issued its privacy green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, both of which will result in changes in privacy in the United States. Another development is the draft “Commercial Privacy Bill of Rights Act of 2011” co-sponsored by Sens. John Kerry (D-MA)and John McCain (R-AZ), which contains the following accountability principle:

SEC. 102.ACCOUNTABILITY. Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information it collects—(1) have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with this Act;(2) have a process for being responsive to non-frivolous complaint from individuals regarding the collection, use, transfer, or maintenance of their covered information; and(3) describe its programmatic means of compliance with the requirements of this Act upon request from the Commission or an appropriate safe harbor program.

This approach to privacy accountability is similar to what’s proposed in the European Union and in line with the international standards on the protection of privacy. (Madrid Resolution)

In the Asia-Pacific region, the APEC Data Privacy Sub-Group, which includes economies that border the Pacific Ocean in Asia Pacific, North and South America, are nearing completion of the Cross-Border Privacy Rules (CBPR). The CBPR include the creation of “accountability agents” in each of the joining member economies. These accountability agents will have the ability to certify an organization accountable.

In Canada, currently, there is a complaint-based privacy regime, and the federal commissioner’s office conducts investigations related to the complaint and does not assess an organization’s privacy program.   In a recent speech in the context of a review of the Canada’s federal private-sector privacy law, federal Privacy Commissioner Jennifer Stoddart stated, “Too many organizations are collecting too much information about too many people for us to continue to rely solely on a complaint-based system in order to assure Canadians that the organizations they deal with are accountable and compliant with PIPEDA.” She then spoke about work from the Centre for Information Policy Leadership and the proposed changes in the EU (discussed above). Changes in the federal law are unlikely in the near future, but this could mark a policy shift from her office as we may see more on accountability from Stoddart’s office in the future. If so, proactive organizations will, as they have in the past, embrace the commissioner’s message and prepare to demonstrate accountability. Not only is there federal momentum in accountability but also there is interest provincially. Information and Privacy Commissioner for British Columbia, Elizabeth Denham, spoke on the matter in Madrid and Washington DC, and Ontario Information and Privacy Commissioner Ann Cavoukian co-authored a paper with Marty Abrams entitled “Privacy by Design: Essential for Organizational Accountability and Strong Business Practices.”

IAPP: How do you distinguish between Privacy by Design and accountability?

McQuay: In the context of business practices, Nymity looks at Privacy by Design as seven principles that help an organization implement privacy into operational practices without putting unnecessary restrictions on business and ensuring privacy for the individuals. Nymity’s view is that Privacy by Design provides an organization a framework on how to develop methodologies and implement effective privacy compliant mechanisms. We believe Privacy by Design results in accountability in practice.

Nymity is a Privacy by Design Ambassadors. We think demonstrating accountability requires privacy mechanisms that are effectively built according to Privacy by Design.

IAPP: What do you consider “demonstrating accountability”?

McQuay: Nymity believes that demonstrating accountability is equivalent to being able to report on the status of the organization’s privacy program against compliance requirements and privacy commitments made in its notices and policies. Our view is that there are four levels of demonstrating accountability. They are:

  1. Assertions: The privacy office reports the status of the privacy program based on their knowledge gained by implementing and maintaining the privacy program within the organization and its Business Partners.
  2. Attestations: The privacy office reports the status of the privacy program and attests to its effectiveness, possibly by conducting survey-based self-assessments from others in the organization and/or from Business Partners to attain evidence to support the assertion.
  3. Validation: The organization may choose to validate the status of the privacy program using a more rigorous assessment method such as an internal audit.
  4. Verification: The organization uses an external entity to assure the effectiveness of their privacy program and optionally to provide some form of certification or trustmark.

We realize most of the accountability discussion is currently in the verification space. At Nymity, we focus on the assertion and attestation space. We believe that an organization that can report the status of its privacy program, either as an assertion or an attestation, is more accountable than an organization that cannot. We also believe that assertions and attestations are prior steps to validation and verification.

We believe that a privacy office that reports the status of their privacy program is demonstrating accountability. We see organizations starting with the privacy office creating a report to internal stakeholders about the status of the privacy program as an assertion. Then, based on organization’s risk and the resources available, the organization will likely implement more privacy controls, and the privacy office could conduct some form of privacy self-assessment (an attestation) of the organization and/or Business Partners and produce a new report. We believe that attestation is the next step in demonstrating accountability, as the entire organization and its Business Partners are more accountable then they were with the assertion report alone. Naturally, the next step would be to perform internal audits and potentially external validation which are even higher levels of validation and verification—thus also demonstrating accountability.

Nymity’s four levels allow an organization to map their demonstration accountability method based on risk and cost. In fact, we believe that organizations with high-risk profiles will use all four levels, for example, external validations to the areas of high risk and conduct assertions and attestation in areas of lower risk.

IAPP: Is there a good privacy framework for assertions and attestations?

McQuay: As of last month, yes. In March, the AICPA/CICA announced their Privacy Maturity Model, which we feel is an ideal framework for  reporting the status of a privacy program, as it provides a high degree of flexibility on implementation and creditable in delivery. Nymity has an agreement with AICPA and has developed a web-based Accountability Reporting Tool. As a maturity model, it provides an organization the ability to report on the status of privacy program according to the 73 criteria from the AICPA/CICA GAPP framework in a clear manner. The maturity categories of Adhoc, Defined, Repeatable, Managed and Optimized form the criteria for the state of the status. Their definitions allow an individual to clearly state the status of each element of their privacy program.

The flexibility of the maturity model includes:

  1. Deployment: It can be deployed by department, data store, division and Business Partner (s) presented as an organizational report.
  2. Application: Being based on a maturity model, it reports the status of the privacy program in a business friendly, risk-based format.
  3. Goal Setting: As a reporting tool, it allows for the setting of goals should the organization need reports to include desired state, when applicable.
  4. Applicable: As a reporting tool, it takes into consideration criteria that do not apply, for example, when reporting the status of service-providers.

Its creditability is gained as the reporting tool was built using the AICPA/CICA Privacy Maturity Model, which is based on the Generally Acceptable Privacy Principles. The Privacy Maturity Model has also received international endorsement from ISACA. Over time, this framework and others will grow to form a solid foundation for assertions and attestations.

IAPP: Do you believe the Privacy Maturity Models can be a tool for reporting to enforcement bodies?

McQuay: Perhaps. Nymity has partnered with an international organization to create a pilot to test this theory. We will create assertions and attestations based on the Privacy Maturity Models for a division of this organization’s business. Together, we plan to visit the Canadian commissioner’s office this spring, the offices of several DPAs in Europe during May and a few regulators in the United States in June to present the assertions/attestations for feedback. Based on these visits, we will expand our outreach and approach other enforcement bodies around the world.

The goal is twofold. One, to explore the possibility of an attestation being one of the options for demonstrating accountability to a regulator or enforcement body, and two, to assess the Privacy Maturity Model as a framework for such attestations.

Once the project is complete, we will have a much more definitive answer to this question. If any other organization would like to participate please give me a call.

IAPP: Are there other accountability initiatives Nymity is working on?

McQuay: Yes, several. We have a number of attestation pilots operational in healthcare, the public sector and private sector. Additionally, we have:

  1. A Demonstrating Accountability session at the IAPP Privacy Symposium May 4-6 in Toronto Canada:
  2. Privacy Accountability Charts
    Nymity has developed three charts that are visual aids designed to assist privacy professionals when explaining privacy compliance, privacy accountability and how Nymity can help.
  3. Free trials of Nymity’s New Accountability Reporting Tool
    For organizations interested in better understanding the potential of producing assertions and attestation based on the AICPA/CICA Privacy Maturity Model, Nymity is providing free trials of our New Accountability Reporting tool.

Free Demonstrating Accountability Webinars
Nymity will provide a series of accountability educational webinars starting in May. In some cases we will have guest speakers, for example we have a co-hosted Nymity/RSA Archer webinar planned for June.


Hear more from Terry McQuay, CIPP, CIPP/C, CIPP/G, CIPP/E, at the IAPP Privacy Symposium, May 4-6, in Toronto, Canada. In the session, “Demonstrating Accountability,” Terry will join James Byrne, CIPP, associate general counsel and chief privacy officer of Lockheed Martin Corporation, and Constantine Karbaliotis, CIPP, CIPP/C, CIPP/IT, Americas privacy leader at Mercer. The charts and tables found in this interview will be handed out during this session.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»