Ask any privacy professional who's been in the field for a while and you're likely to hear a familiar trope: There's never enough budget, and justifying any ask for more money for that pesky "privacy problem" is always an uphill battle. Because of that, making sure the privacy office is as efficient and effective as possible ostensibly helps the privacy office to operate on a limited budget. At the same time, demonstrating accountability is becoming important for the privacy office of companies aiming to comply with myriad privacy rules and regulations globally; regulators are increasingly using the word accountability or its cultural equivalent in guidance. In fact, it has been for some time. The word showed up in the OECD guidelines on transborder data flows in 1980; it appeared in Canada's PIPEDA in 2000, in the APEC privacy framework in 2005 and now in the EU's General Data Protection Regulation as drafted.
Noticing both trends, Nymity started researching accountability in 2002. Specifically, Nymity looked at what it looked like for an organization to demonstrate accountability, whether to a regulator or the C-suite. The research resulted in the Nymity Privacy Management Accountability Framework, "an industry-neutral listing of 150-plus privacy management activities within 13 privacy management processes." It aims to help privacy pros structure and track both where the privacy program currently stands—whether it be nascent or mature—and where it aims to go.
The framework operates on three ideas across the privacy tasks: deciphering who's responsible for what; assigning ownership to those responsible, and then providing evidence, or documentation, of the assigned activities being carried out.
At a recent training workshop in Andover, MA, Nymity's Constantine Karbaliotis, CIPP/US, CIPP/E, CIPP/C, CIPM, CIPT, vice president of privacy office solutions, outlined the framework for the dozen attendees, some of whom were privacy officers while others came from compliance functions.
Karbaliotis stressed the importance for a privacy office to be able to document its efforts. It's the backbone of accountability.
"I used to be in personal injury law," he said. "I can tell you, when people are subject to photo radar, they drive much better than when no one is watching. Anyone in compliance knows that when you have to answer for what you do, there's greater compliance."
But where compliance programs focus on outcomes, accountability focuses on the infrastructure supporting those outcomes, Karbaliotis said: "When you start with the notion of accountability, then you've already done the work to map those activities to the requirements of the many different global laws. It allows you to point to a single piece of evidence and demonstrate compliance with laws and regulations, regardless of the legal frameworks."
The idea, he said, is to start mapping and focus on the activities companies do to be accountable, and the outcome, by default, will be compliance.
One participant said one roadblock he could foresee at his organization is the framework's seeming presupposition that the privacy function lives outside of legal.
"The whole organization must feel accountable from a business perspective to get this done," he said.
Karbaliotis said one way to get around that is to remind the organization that when you're accountable, "you're much more able to deal with legal changes. When new things are introduced, you have capacity because you're already doing the activities. Typically, the good things to do are the good things to do globally."
In determining what to do first, the framework suggests identifying where the privacy management activities stand. Are they desired? Have they been planned? Is it so mature they've been implemented?
Next, a data privacy policy owner should be assigned to the privacy activities. For example, the "privacy activity" of "maintain a data privacy policy" might be human resources. So that department then becomes the owner of the activity and is in charge of monitoring new operational practices that might be assigned.
Then it's about picking a strategy. Some organizations might opt for a "managed" privacy strategy; those organizations are likely to be the ones where there's a low risk on processing the personal data involved or where a privacy program is just being launched. An advanced program might be right for a company with a high level of data processing risk or an organization that's had a breach or is aiming to achieve Binding Corporate Rules, for example.
Then it's about creating a resource profile to look at what kind of resources are available to help get the job done. That could include people, processes, technology and tools. A "low" profile, for example, might mean a part-time privacy officer is employed; "medium" might mean there's business and organizational support for privacy, while "high" might mean there's true management support and a funded privacy office.
The majority of participants raised hands to indicate they consider themselves in the medium resource profile, while one said high and two said low.
In the end, Karbaliotis said, most critical is identifying owners of privacy activities. In that way, there's an alliance of people from various departments working toward the same goal.
"That's more powerful than privacy asking for resources," Karbaliotis said. "If you're going together with HR or IT, that's more powerful."
photo credit: Citizens of Canada via photopin (license)