The EU General Data Protection Regulation (GDPR) is eighteen months old today but, as seasoned practitioners will know, data protection law has been around for several decades.
What the GDPR has done is put a strict obligation on all controllers to demonstrate that they comply with the law. The GDPR refers to this as the accountability principle in Article 5 (2) but there is no detailed explanation of what this means on the face of the law itself. In practice, it amounts to an organisation putting in place a governance framework which sets out how the organisation meets its responsibilities under the law. What this looks like will differ for different organisations.
But there’s no doubting the importance the regulators attach to the principle. The Article 29 Working Party produced an Opinion on the principle of accountability back in 2010 which advanced the argument that the new European law (now the GDPR) must include the requirement of accountability. The Working Party acknowledged that defining what accountability means in practice is complex but that its emphasis is on showing how responsibility is exercised and making this verifiable. In its Opinion on Accountability 2010, the Working Party commented that:
“Responsibility and accountability are two sides of the same coin and both essential elements of good governance.”
While many organisations worked hard to meet their obligations under the data protection legal regime pre-GDPR, there was no legal requirement for them to demonstrate data privacy governance. Many chose to do so anyway by appointing data privacy officers (DPO) or adopting mature data protection compliance programmes which, for some, became Binding Corporate Rules. But there was a significant spectrum of practice amongst organisations and data privacy governance was not always considered to be a priority.
Much of the activity by organisations to prepare for 25 May 2018 concerned reviewing and implementing privacy notices, policies, consents and data processing agreements. While it is certainly necessary to review these areas, it is also now essential under GDPR to consider governance.
How will your organisation demonstrate that it doesn’t just have its paperwork in order, but the culture of the organisation is in line with the paperwork? Who is responsible for ensuring that this happens?
The GDPR contains certain requirements and triggers which encourage a data privacy governance programme. So, for organisations involved in more risky processing, there is a requirement to carry out a Data Protection Impact Assessment and/or appoint a DPO. Not every organisation is required to appoint a DPO but many have chosen to do so regardless. Certain organisations have gone further, mindful of the nature of their processing. A few of the big tech companies now have Chief Ethics Officers. So, in late 2018 Salesforce appointed a Chief Ethical and Humane Use of Technology Officer whose role recognises that technological developments may need restraining (see https://www.salesforce.com/company/ethical-and-humane-use/). Significantly, particularly in the tech industry, there are other drivers pushing for data privacy governance since tech investors increasingly ask about the ethical nature of the tech products and services that they are being asked to invest in.
Evidence of poor data privacy governance will have far greater consequences in the future. It’s not just the likelihood of poor governance causing GDPR breaches or leading to fines but also that weak data privacy governance will have negative effects for organisations more generally. Individuals and businesses are less likely to trust organisations that have chosen not to properly invest in resources and compliance programmes to properly protect personal data.
So how do organisations make data privacy governance a positive? For a start, it requires senior leadership. People with sufficient influence within the organisation must be willing to give proper support to data privacy initiatives and governance activities. It also requires a cultural message so that compliance is not seen as a burden but as an essential part of the way the organisation operates. Employees who appreciate that the measures they follow are designed to protect their privacy as much as consumers or service users, are more likely to carry out their role conscientiously. Data privacy compliance should be positive because protecting individuals is a positive and important activity.
Good data privacy governance should be a business enabler and not a blockage. A governance framework should acknowledge the specific risks faced by the particular organisation and set out a proportionate set of rules which those handling personal data can follow. Those involved in using personal data should be motivated to comply because it’s part of delivering the overall goal of the organisation – whether to provide a service to consumers, deliver healthcare to patients, or provide charitable support to the vulnerable. All of this is much better managed when an organisation has a proper data privacy governance function with someone (or a team if necessary) responsible for assessing the impact of data use, asking the questions and providing guidance. Data privacy governance should be common sense governance so that those individuals whose data will be processed and whose rights will be affected can understand the decisions made.
It’s been obvious for a while that personal data can be used to cause harm as well as to do good. There is also an increasing recognition of the need to measure the impact of data use on society whether during election campaigns, as part of personalised medicine or adtech. For instance, privacy and data protection can be one factor taken into consideration for ESG (environmental, social and governance) investing. Or organisations can choose to embrace a B Corp structure (as The Guardian has recently done) which could add a privacy governance goal as a specific part of its aim to have a positive impact on society. The ICO is developing an Accountability Toolkit to help organisations put in place a proper governance framework and the resulting guidance should be a useful resource for organisations. The GDPR is here to stay and, consequently, all organisations should consider how to make data privacy governance a positive.
For more information, see Practical Law’s Accountability questionnaire for senior management (GDPR and DPA 2018) (UK) and the practice note, Demonstrating compliance with the GDPR.