Privacy regulators around the world are increasingly embracing the notion of accountability as a vehicle to drive privacy compliance within organisations. So far, the privacy regulators in Canada, Hong Kong, France, Australia and Colombia have issued “Accountability Guides” or “Privacy Governance Frameworks” intended to assist private sector (and in some instances, also public sector) organisations setting up appropriate processes and procedures to ensure privacy compliance. Those documents have a lot in common and provide helpful (non-binding) guidance. In this and the next post, we will analyse those guides and extract the key takeaways for private sector organisations.
The Canadian, Hong Kong And Colombian Accountability Guides
The privacy commissioners of Canada, Alberta and British Columbia were the pioneers when they jointly issued the Guide “Getting Accountability Right with a Privacy Management Program” in April 2012.
The Hong Kong privacy commissioner followed the Canadian example in February 2014 when it issued the “Privacy Management Programme – A Best Practice Guide“. The Hong Kong Guide is modelled on the Canadian Guide and identical in many points and so are the Colombian “Guidelines for the Implementation of the Accountability Principle” issued by the Colombian DPA in May 2015 (which, so far, are available only in Spanish).
Privacy Management Programs As The Tool To Ensure Privacy Compliance
The respective Canadian, Hong Kong and Colombian Guides all promote privacy management programs (“PMPs”) as the appropriate tool to ensure privacy compliance. According to the guides, the two key components for creating a comprehensive PMP are organisational commitment and program controls. In addition, PMPs need to be continuously assessed and revised.
Organisations need to implement an internal governance structure that fosters a culture of privacy. This requires:
- top management to strongly and actively support the PMP;
- the appointment ofa data protection officer who will be responsible for designing and managing the PMP and overseeing the organisation’s privacy compliance in general (potentially supported by a team of privacy staff);
- internal reporting mechanisms which ensure that the right people (generally senior management) know how the PMP is structured and whether it is functioning as expected.
Organisations need to put in place adequate program controls to ensure that what is mandated in the governance structure is actually implemented. There is no one-size-fits all solution as to what constitute adequate program controls. Rather, what is adequate depends on various factors such as the organisation’s nature and size as well as the amount and sensitivity of data handled. However, generally, organisations need to run a personal data inventory mapping out their processing activities, put in place and communicate clear internal and external data protection policies/ notices, conduct periodic risk-assessments, adopt a privacy-by-design approach, train staff adequately, implement data breach handling procedures and put in place contractual or other mechanisms to protect personal data handled by service providers.
Assessment And Revision
Once built and implemented, a PMP needs to be maintained through ongoing monitoring, assessment and revision to ensure its ongoing effectiveness. It should never be considered a finished product.
While issued by national regulators, the respective guides are universal in scope. In the absence of guidance from their local regulators, privacy professionals from anywhere in the world looking to build PMPs that satisfy regulator expectations would do well to consult them for guidance.