News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | For Privacy Officers: Getting to Accountability with Limited Resources Related reading: Empowering Individuals Beyond Consent

rss_feed

""

""

""

Many privacy and data protection regulators around the world, including regulators in Canada, France, Australia, Hong Kong and Colombia, have written guideline papers about accountability that promote the building of a privacy-management program. These guideline papers provide the building blocks for a privacy program but do not address how to resource the building and maintain a privacy-management program.

Privacy offices grapple with the challenge of finding enough resources to allocate for privacy management. The challenges include communicating a definitive privacy-management program, leveraging and motivating individuals throughout the organization and justifying the business case to obtain the necessary resources. Even then, how to best allocate the available resources to maximize privacy management has historically been more of an art and less of a systematic approach.

We know that privacy officers can only implement and maintain privacy-management activities based on the resources provided, and as such, we believe a resource-based approach is best. Our research has led to an accountability approach that is based on building an effective privacy-management program by maximizing available resources.

A resource-based approach enables privacy officers to scope the privacy-management program to encompass all organizational activities that involve or affect the processing of personal data. Such activities include not only those maintained by the privacy office but also those maintained by areas that are outside the privacy office within operational and business units that control or influence the processing of personal data—for example, in HR, IT, legal and marketing.

To maximize resources, the privacy office first determines the current status of privacy management by identifying maintained privacy-management activities throughout the organization. Doing so with a systematic approach will also enable a privacy officer to identify available resources in the form of people, processes, technology and tools. The good news is that privacy officers at responsible organizations will find that there are many privacy-management activities implemented in other areas of the organization, for example, in human resources and marketing. Plus, additional resources will be found throughout the organization.

The privacy office then needs to determine an appropriate privacy-management strategy by considering external influencing factors—such as legal and compliance requirements and privacy risk—and align with overall organizational objectives. A strategy, made up of a definitive set of privacy-management activities, then allows for the prioritization of activity-implementation based on available resources. Our research, available in our accountability paper, has found that there are three common strategies:

  • The Managed Privacy Strategy: The minimum number of privacy-management activities to manage risk and enable ongoing compliance
  • The Advanced Privacy Strategy: Going beyond the minimum by implementing privacy-management activities that further embedding privacy and data protection throughout the organization
  • The Demonstrate Accountability and Compliance Strategy: A privacy-management program strategy for organizations with the business case to stand ready to demonstrate accountability and/or compliance on demand

To prioritize the resources, no matter which strategy is selected, our research has found three ways for getting started based on available resources:

  • Low resources, privacy policy first: Start with an organization-wide privacy policy; train employees on their obligations under the policy. Communicate the practices to data subjects via a privacy notice and ongoing management reporting. A privacy policy-first approach is best suited for organizations with low resources available.
  • Medium resources, governance first: Start with governance-based privacy management activities including formal assignment of responsibility, processes for interacting with data subjects and third-party data processors and sign-off procedures that involve the privacy office. A governance-first approach is best suited for organizations with moderate resources available.
  • High resources, inventory first: Start with more resource-intensive privacy-management activities such as inventory of all personal data and design policies and procedures that are embedded throughout the organization, enterprise privacy-risk assessment, integrate data privacy into business-risk assessments and conduct PIAs for new programs, systems and processes. This approach is most often favoured in textbooks and training materials as it does not take into consideration resource constraints.

Allocation of resources can be a challenge, but in most cases, the justification of resources for privacy management is even harder, and as such Nymity has launched a series of free global privacy-management workshops to be held later this year. These workshops and our accountability paper help privacy officers create a definitive privacy-management program, justify additional resources and best allocate the resources to achieve the privacy-management strategy established by the privacy office.

Accountability

The IAPP has created a whole page full of tools and research dedicated to accountability in the Resource Center, including Nymity’s Privacy Accountability Baselining and Benchmarking Methodology, Privacy Management Accountability Framework and Data Privacy Accountability Scorecard. See it here.

Author
Headshot Terry McQuay, CIPP/G Nonmember Contributor
Tags
Privacy Operations Management
1 Comment

If you want to comment on this post, you need to login.

  • comment Kwame • Jul 29, 2015 
    Thanks for sharing this Terry, great insights. I'm looking forward to the workshop in Cincinnati, OH! And the accountability paper is a great resource as well. Thanks!
Related Stories
Empowering Individuals Beyond Consent
2
Individual consent to data processing has been an anchor of data protection and privacy laws around the world. The assumption is that consent ensures that information practices are focused on the rights and interests of individuals by enabling them to control the use of their personal data. Most law...
Read More queue Save This
Accountability

The IAPP has created a whole page full of tools and research dedicated to accountability in the Resource Center, including Nymity’s Privacy Accountability Baselining and Benchmarking Methodology, Privacy Management Accountability Framework and Data Privacy Accountability Scorecard. See it here.

Related Stories
Tags
Privacy Operations Management
Recent Comments