As the deadline to comply with the requirements of the EU’s General Data Protection Regulation fast approaches, there are a growing number of companies pushing ahead with a strategy of “paper compliance” to meet the voluminous requirements of the new regulation. Some advocates of this approach see paper compliance as a necessary stop-gap measure on the road to full compliance, i.e., paper and operational compliance. Others view paper compliance as the preferred currency of regulators and, therefore, as an adequate measure to protect the company from enforcement actions, regardless of whether the company is operationally complaint with GDPR or other privacy and data protection regulations. Setting aside these and other motivations that inform a decision to pursue a strategy of paper compliance, it is important to note that there are significant compliance and accountability challenges companies should be aware of and consider prior to moving forward with this approach.
Paper compliance is not operational compliance
Perhaps the most obvious challenge facing paper compliance is that while it can effectively codify principle-based data privacy laws into written policies, procedures, contract provisions, and workforce training materials (this is precisely what is meant by paper compliance), it clearly remains silent when it comes to the issue of operational compliance, which we can define as a company’s people, internal processing, and information systems and tools that operationalize the principles in the company’s various written policies, procedures, and contracts.
Consider the following example: Company A has in place an external-facing privacy notice that informs data subjects of their rights, including the right to access, update, delete, and restrict certain processing activities. Additionally, the company has documented internal policies and procedures that inform the workforce about what the company’s obligations are to data subjects and how to respond to and fulfill requests from data subjects. On paper, Company A certainly appears to be meeting its compliance obligations. However, lets also assume that Company A doesn’t possess the appropriate capabilities to meet its obligations to restrict certain processing activities or delete a data subject’s personal information, or, for that matter, even identify the systems in which a data subject’s personal information resides. In this case, paper compliance is akin to a house of cards. From afar, everything looks in order. In fact, any incident or complaint that would bring regulatory scrutiny could bring the house of cards tumbling down and along with it incur heavy fines and significant reputational harm.
The accountability challenge
A related challenge to paper compliance revolves around the issue of accountability and its increasing importance in privacy regulations, including the GDPR. Although accountability is one of those buzzwords that means different things in different contexts, for the purposes of this discussion we will define accountability as the organization’s compliance with their privacy obligations and the ability to verify that compliance. For advocates of paper compliance, the written policies, procedures, contract provisions and training materials can demonstrate and verify the company’s compliance with their privacy requirements. This is generally true of paper compliance proponents –regardless of whether they view it as a stop-gap measure on the road to full compliance, or whether they view it as sufficient to protect the company from a variety of risks including onerous enforcement actions.
However, this view of paper compliance as tantamount to a company’s accountability obligations misses one very important aspect of accountability: Namely, while it is true that paper compliance can demonstrate to regulators (and customers) that the company has codified privacy principles and practices, this is not the same as adducing evidence that the company’s technical controls are operating in compliance with the company's privacy policies and procedures.
Real accountability must go beyond paper compliance to include a component that makes it possible for regulators (or other stakeholders) to verify – via demonstrable evidence – that the company’s information systems and associated technical controls are processing personal information in accordance with the company’s documented privacy commitments. Many commentators have referred to our current era as the age of accountability. There is clearly a greater emphasis on accountability now than in recent times, and for companies unable to verify that they are in full compliance with their privacy commitments, there is significant risk of severe enforcement actions and reputational harm if they were to come under regulatory scrutiny.
Paper compliance? Proceed with caution!
Taken together, these compliance and accountability challenges call into question the efficacy of the paper compliance approach to protect companies from significant and potentially crippling risk. Paper compliance without operational compliance and real accountability is not just inherently partial compliance, it is, in a very real and consequential way, non-compliance.