If ever there was a potential cure-all for the current trust deficit in the digital society and the many data protection woes facing us, organizational accountability surely is it.
It is no surprise, therefore, that in recent years, accountability has garnered broad international support in data protection circles. It is also now a prominent feature of many modern day privacy regimes, including the EU General Data Protection Regulation. But to reach its full panacean potential, accountability must be widely implemented.
And for that to happen, it must be incentivized.
It is commonly understood that accountability represents a holistic and comprehensive approach to data protection, encompassing an array of key elements covering all aspects of a solid data protection and management program. These elements are: leadership and oversight; risk assessment (including DPIAs); policies and procedures relating to data processing; transparency; training and awareness; monitoring and verification; and response, complaint-handling and enforcement. These elements may be informed by applicable laws, or by the substantive requirements of certifications or codes of conduct, or simply by organizational values and goals independent of, or in addition to, any external requirements. But, in each case, they form a comprehensive program that, at the most basic level, ensures compliance with the relevant standard or goals but that can also deliver a wide array of additional benefits to the organization and other stakeholders, particularly where the accountability measures go beyond what is minimally required by law.
Examples of such benefits include recognizing accountability as one of the mitigating factors in the context of enforcement actions and in setting fines (the GDPR codifies this benefit); driving global intra-company harmonization; enabling interoperability and global data flows; serving as a due diligence tool when selecting data processors; and generating customer and societal trust in modern data uses.
Indeed, implementing accountability above and beyond minimum legal requirements not only benefits organizations but also individuals and regulators. For regulators, accountability provides an assurance that organizations are identifying and prioritizing high-risk processing; it reduces their oversight, complaint-handling and enforcement responsibilities; it allows them to be more selective and strategic with their often limited resources; and it promotes constructive engagement with accountable organizations.
For individuals, it delivers real and more-effective protection of their personal data; it empowers them in the management of their data and shifts the burden of ensuring their protection more explicitly to organizations. It also permits them to reap the full benefits of participation in the digital society.
Thus, the higher an organization places on the accountability scale, the better for everyone.
The benefits of accountability, particularly when based on “heightened accountability” (i.e. accountability that goes above and beyond what is legally required), however, do not come without significant investment on the part of the organization. Such investment requires backing from corporate leadership and intense efforts on the part of DPOs, in-house counsel, privacy staff and other key players within the organization to reap the rewards of being on the upper end of the accountability spectrum. Absent appropriate incentives to make this financial and labor-intensive investment towards heightened accountability, many organizations will likely remain at the basic compliance level of accountability, rather than aiming higher.
Given the many new and developing privacy laws and regulations around the globe, most responsible organizations have spent much of the last few years implementing accountability-based privacy programs. The threat of enforcement has been a good motivator for many in this regard. But enforcement mostly ensures basic compliance, not necessarily the wide array of benefits that heightened accountability beyond what is required by law can deliver. For such higher levels of accountability, additional encouragement and incentives are required. Some encouragement for such heightened accountability, of course, may come from the self-interest of organizations relating to various market-based and competitive advantage benefits that may result from a high level of organizational accountability.
However, external incentives are necessary and appropriate as well.
Data protection authorities have played a vital role in promoting accountability as a comprehensive framework for the responsible use of data, as well as in advocating for its inclusion in various data protection regimes. Their next critical role will be, together with lawmakers, to define clear external incentives, that will supplement the threat of enforcement and various internal incentives. This will encourage the implementation of accountability at levels that fully maximize its potential. This notion forms the basis of two new discussion papers from the Centre for Information Policy Leadership on “The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society” and “Incentivising Accountability: How Data Protection Authorities and Law Makers Can Encourage Accountability.”
As already suggested, there is a wide range of incentives that could be deployed to encourage a broader and more robust implementation of accountability. For example:
- Allowing data controllers that are implementing accountability beyond mere legal compliance to pursue a wider range of reasonable and beneficial uses of personal data. This could include broader parameters for the use of data for social good and research or for using personal data to facilitate responsible AI and machine learning, including in the context of “regulatory sandbox” initiatives.
- Publicly recognizing best-in-class organizations and showcasing the accountable “best practices” that they engage in. This would promote the reputation and trust of accountable organizations and promote healthy competition for accountability in the marketplace.
- Affirmatively recognizing formal accountability schemes such as binding corporate rules, APEC Cross-Border Privacy Rules and Privacy Recognition for Processors, and future GDPR certifications as evidence of a high level of accountability and privacy protection to enable cross-border transfers and as formal due diligence tools in the selection of processors and vendors and in M&A transactions.
These are just a few examples of the various incentives that DPAs and lawmakers could provide to motivate organizations to take their accountability-based data protection programs to the next level.
Such external incentives will, in effect, function as an additional “return on investment” for organizations that choose to move from bare-bones compliance to gold-plate corporate digital responsibility. Establishing the concept of organizational accountability at the center of modern data protection was crucial but is not sufficient alone. The next step has to be to find ways to ensure the actual and practical implementation of this concept by organizations of all sizes and to encourage accountability measures that go beyond mere legal compliance.
Thinking about appropriate incentives for accountability is truly one of the next frontiers in data protection.
If you want to comment on this post, you need to login.