Accountability is having its moment in today’s digital, data-driven world, accentuated by the COVID-19 pandemic, according to Hunton Andrews Kurth Centre for Information Policy Leadership President Bojana Bellamy, CIPP/E. And while this is “the age of accountability," she said, it’s something the CIPL has been promoting for many years.
Among its work, in 2018, the Centre published an accountability framework that identifies the essential elements of accountability-based data privacy and governance programs: leadership and oversight; risk assessment, policies and procedures; transparency, training and awareness; monitoring and verification; and response and enforcement.
The accountability approach has been embraced by a number of companies, incorporated into various laws and supported by some regulators, she said, but there’s still been a lack of consensus on what data privacy accountability looks like in practice.
That’s where the CIPL’s new report comes in. “What Good and Effective Data Privacy Accountability Looks Like: Mapping Organisations’ Practices to the CIPL Accountability Framework" explores how 17 companies in a variety of sectors, sizes and in different geographical areas have successfully created, implemented and enforced accountability in their business, culture and privacy programs. It also looks at how to make strides toward a global consensus on accountability between industry and regulators.
“In the U.K. and Ireland, when you discuss (EU General Data Protection Regulation) compliance with regulators, yes, they see compliance, but they haven’t really seen accountability yet," Bellamy said of the need for consensus. "Companies talk about it, but no one has shown it. That, to me, was a challenge. I said to my team, ‘We have to do something about that,’" she said.
The CIPL reached out to its members, working over six months with organizations with mature privacy programs to explore and assess the ways they incorporate accountability into their data privacy programs and corporate culture, as well as how their practices follow the CIPL Accountability Framework.
“What we mean by accountability is really the ability of organizations to build a comprehensive privacy management and compliance program which translates all the legal requirements that apply to them and all the standards and internal policies into very manageable operationalized policies, procedures, controls, and tools. Then it’s about managing that program and being able to demonstrate the existence of that program internally and externally,” Bellamy said.
CIPL's report found that of the mature companies assessed, all viewed accountability as a business value and a continuous journey. It found those organizations reported a reduction in the number and cost of data breaches and improved overall operational efficiencies. They also had in common engaged senior leadership that articulated the importance of data privacy and accountability from the top, she said, and prioritize privacy programs and accountability measures based on risk.
She said the assessment indicates accountability can be implemented irrespective of the industry sector and size.
“There’s no one-size-fits-all," Bellamy said. “You have to find your own story … It is about looking at your own risks, understanding why data matters to you and why privacy is important for your company, where there could be risks.”
At Mastercard, which participated in the CIPL report, Chief Privacy Officer Caroline Louveaux, CIPP/E, CIPM, said the company’s privacy journey started long ago and continues to evolve with accountability at its core. Mastercard has incorporated a privacy risk framework into its product development process and leverages privacy-enhancing techniques like anonymization to further enhance individuals’ privacy and security, she said. The company also conducts privacy compliance checks and audits of its data and privacy practices on a regular basis.
“Businesses have a responsibility to individuals, one another and society as a whole in everything they do, including how they manage data,” she said. “Data has the potential to fuel the next century for innovation, but only if companies’ data practices are held to the high standards we all deserve. Our approach to accountability is grounded in a commitment to innovation that places the individual at the center of everything we do.”
Louveaux said implementing an accountable privacy program has multiple benefits. It facilitates effective data protection and has the flexibility to adjust to multiple legal frameworks globally, as well as evolving trends, including new technologies like artificial intelligence. It is also crucial to building and maintaining public trust in a company’s data practices, she said.
She agreed with the report’s findings that accountability and a company’s support and implementation of it starts at the top.
“Organizational culture is the foundation of a truly accountable organization. Commitment to privacy and respect for human rights starts at the highest levels of our organization and runs across the company. Getting executives and senior management on board is essential to implement a successful accountability program,” she said.
Twitter Global Data Protection Officer Damien Kieran said privacy and data protection are a part of the social media company’s culture, and accountability is the foundation of its privacy and data protection program.
Kieran said Twitter supported CIPL’s work as it has seen the benefits it has within the company’s own culture and practices. The company mapped its privacy and data protection practices against the framework and has been using it to discuss practices with senior management, its board of directors and regulators, he said, adding Twitter's privacy work is "always going to be iterative."
“We’re going to continue building on these efforts as we learn from people about what they need to understand about our services,” he said. “Accountability, both at a personal and organizational level, helps to keep our teams focused on what matters in terms of protecting user privacy and data. These efforts ensure that we’re asking the right questions and implementing the right measures to protect consumer privacy and data as we work to bring our services to people all over the world.”
U.S. FTC Commissioner Christine Wilson highlighted accountability during a keynote speech at the Privacy + Security Academy in May, calling it a “privacy best practice” that she said is particularly relevant now. She recommended companies evaluate their privacy programs considering the CIPL’s framework.
“Given the proliferation of public/private partnerships, federal, state and local authorities, as well as academics, should be intentional about accountability. The practices employed now will have long-term implications — all entities involved should take care to ensure that the precedents are constructive,” she said.
Bellamy said Wilson’s message is “incredibly powerful” and encouraging.
She hopes the momentum these conversations and the report are creating around accountability will influence companies to implement it into their privacy programs, and that it helps build consensus for regulators and policymakers globally to encourage accountability.
“One of the reasons we did this project is to get regulators to build consensus around this,” she said. “When the laws talk about accountability or best practices, they don’t actually say what they mean and those of us working in accountability, we’ve been working to talk about the elements and to build that work … The more we talk about it as a privacy community, the more regulators will come to a consensus.”