Assessing “Accountability” under the GDPR
November 26, 2018
The General Data Protection Regulation (“GDPR”) holds a data controller accountable for verifying its compliance with the GDPR’s key principles of: lawfulness; fairness; transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity; and confidentiality.
A lot has been written about the concept of accountability. This article proposes a model for assessing accountability in light of the GDPR’s requirements.
What does “accountability” mean?
The GDPR represents a significant change in the approach to data protection. A key change is that the GDPR seeks to unify EU Member States’ data privacy rules. It also shifts the approach to data privacy compliance towards self-regulation, changing the role of data protection authorities from a primarily supervisory to a primarily monitoring one, while also expanding the authorities’ supervisory rights .
All data controllers – and data processors – must develop and maintain various organizational and technical measures – or data protection controls – to ensure their ability to assess their respective compliance – or “accountability” – with the GDPR’s principles.
The GDPR’s self-regulation concept carries challenges for all companies, and particularly for those that conduct larger, more complex data processing activities. Although the GDPR does not mandate this, companies could ensure data protection compliance by implementing, maintaining – and continuously improving – an internal data protection governance framework. That can be done by adapting to the data privacy environment practices typically used in information security and risk management, to create a comprehensive framework spanning each of the company’s functions that comes into contact with personal data. Once created, the maturity of each process within that framework must be assessed periodically by professionals, to measure the company’s performance relative to data privacy compliance.
Creating an “accountability” assessment framework
The first step in building the framework is having a data protection strategy. Not every business requires such a strategy. Those businesses conducting complex, extensive data processing activities or monitoring data subjects on a large scale, or whose data processing involves sensitive data, would be well served to adopt such a strategy. That strategy should support the business’ plans and be supported by the business’ procedures.
To create that strategy, one first analyses and assesses the business’ goals, existing opportunities and limitations, and company resources in light of data protection requirements. Aligning the risks arising from those requirements with the company’s internal and external risk appetite is also an important part of this process. To create the strategy, one first must assess the data processing activities that the core business and each of its support functions will conduct. The latter include, for example, marketing activities, third party vendor communications, outsourcing, M&A, IT, information security, fraud detection and prevention, internal whistle blowing, and employment.
That approach will enable that data protection as a control functional area supports each of the company’s other functions to enable the business to target potential customers in a manner compliant with the GDPR. In other words, GDPR considerations must be at the core of the business’ strategy.
Then one needs to identify both the internal and external (human and legal) resources needed to achieve the privacy strategy. Companies which must appoint a Data Protection Officer, or those who choose to do so voluntarily, will find that they are legally obliged to allocate resources (including budget) for data protection and compliance purposes.
Assessing the strategy’s compliance
How can a company assess whether it is meeting data protection requirements in compliance with the principle of accountability? For that purpose, the Data Protection Officer could oversee the evolution of the company’s compliance by using information security type mechanisms.
Risk management, including assessing the maturity of various internal processes, is commonplace in the information security field. The risk management process has significant value to assessing a company’s data security related processes.
The CMMI Institute’s Capability Maturity Model Integration (CMMI) is an useful model. CMMI ranks process maturity on a scale of 0-5 as follows:
|Maturity Level||General description||Data Protection Control|
|1||Undefined, ad-hoc process||No|
|2||Repeatable, undocumented process||Occasional|
|3||Documented, repeatable and implemented process||Implementable|
|4||Process under quantitative control||Implemented, automatically measurable and verifiable|
|5||Optimized, self-correcting, automated process||Implemented, automatically measurable and controllable|
Process maturity assesses how well defined and repeatable a process is. If the same process repeatedly provides the same outcome with the same input information, it is mature. Effectiveness, on the other hand, tests is how well performing a process is. Even a process with a high maturity level can be ineffective if the relevant data protection control is not in place or is not adequately functioning.
The processes under assessment should be reviewed in an order driven by their importance and their complexity relative to those processes serving the business strategy, to determine their respective indicator numbers according to the expected operation of the process and the potential data protection risks. The resulting indicators will enable a company to measure the effectiveness of individual data control measures, as Art. 32(1) GDPR requires each data controller and data processor to do.
By measuring the maturity of its data protection related processes, a company can get a clear picture of its current abilities and identify areas for further development by comparing the results of the maturity assessment with the chosen strategic maturity levels of said areas.
Depending on the methodology chosen to evaluate process maturity, the company may be able to benchmark itself to other organizations and market participants (for example, by assessing those areas in which major competitors and companies doing similarly complex data processing focus, and how they are performing).
An assessment of selected key data protection processes is recommended at least annually.
|#||Privacy Process Area*||Currently||Target|
|2||Privacy Governance and Program Management||4||4|
|3||Privacy Policies, Standards and Procedures||3||3,5|
|4||Data Subject Requests||3||3,5|
|5||Internal Privacy Framework and Documentations||3||4|
|6||Privacy Architecture and Privacy-by-design||2,5||4|
|7||Privacy Risk Management||3||5|
|8||Data Breach Management||3,5||5|
|9||Data Processors and Vendor Management||2||4|
|11||Litigation and DPA consultancies||1||3|
|12||Training and awareness||3||4|
|13||Privacy related Technologies and Capabilities||1||3|
*Illustration – Sample Privacy Process areas and recommended process maturity levels
Metrics: privacy Key Performance Indicators and Key Risk Indicators
Data privacy management processes alone are not enough. Once those are mature, use of management concepts such as ‘Key Performance Indicators’ (KPI) and ‘Key Risk Indicators’ (KRI) will assist a business to understand the data privacy risks it faces even when its processes perform well. A KPI assesses the process performance between two previously defined extremes: for example, did the investigation of an alleged data breach occur within required time limits, meaning that the process functioned well? A KRI indicates the likelihood of risk occurrence related to a data protection process: for example, is a data breach occurrence is highly likely due to a functional failure of the data protection control built in to a process?
The data protection framework should measure KPIs and KRIs sufficiently frequently to monitor and report them at regular intervals to the company’s senior management. A frequently used reporting approach is creation of dashboards and heat maps, well-known within the information security area. Baker McKenzie’s Compliance Cockpit covers the most significant risk areas, like fraud, compliance, tax and data protection.
The KPIs and KRIs must be capable of being measured objectively, be exact, be reliable and have appropriate business content. One of the most commonly advised ways to design them is to use the GQM (Goal-Question-Method) method which applies a top-down approach within the company. Its three main steps (as its name implies) are: a high level determination of goals; formation of questions related to the goals; and determination of the metrics given as a response to the question. Assume a goal is that the company ensure compliance with the principle of transparency. How can this be achieved? The company must give data protection related information of appropriate quality when collecting data. Where is the data collected? If on webpages, then a KRI could be the number of webpages the company operates, on which it has not updated its data privacy notices in the past year.
Isaca’s 2015 survey , indicated that the main data protection metrics relate to: incident management (number of data breaches/number of managed incidents); data protection complaint handling (number of customer complaints); data protection risk management (number of prepared data protection risk analyses); data protection training (number of employees that have attended a data protection training); data protection audits (number of performed data protection audits); personal data management (number of records containing collected, controlled personal data); supplier management (number of those external suppliers that have access to personal data controlled by the company); and data processing operations (number of geographical locations where the company store personal data).
If an operational risk management function exists within a company (e.g., in case of financial institutions), then the metrics and data protection risk management processes can be integrated into it and can be managed together with other risk and performance metrics.
To ensure the objectivity of the metrics, the methodology used should be documented, as should the steps to be used for the metrics’ measurement and sample collection processes .
Reporting about the Framework
Because each report will be read by a range of personnel, including the senior management team, executive staff and operators of certain data protection controls, a single report on framework performance might not suffice. Different input information will be needed by, for example the operator of the access controls on the IT department and the legal department representative who creates data protection reports.
The reports made for the senior management team should address the principle of accountability generally: how does the data protection governance framework perform? Reports to specific functions may need to be more granular.
Discussion about the reports could drive decisions about which areas need more resources or attention and which need to be developed to meet strategic data protection goals.
Potential benefits of external framework performance reporting ?
The GDPR does not require data controllers or data processors to report externally about their compliance with the GDPR. However, as data privacy becomes more of a competitive edge issue, investors, vendors, customers and employees appear to be expecting more transparency regarding data processing operations and a company’s data governance framework..
Companies might consider whether external reporting of their accountability metrics would meet the market’s desire for transparency. That reporting would leverage the company’s information security and privacy frameworks by positioning accountability information in disclosures in financial statements, annual reports, press statements or advertisements. Such disclosure could provide business value by publicly demonstrating accountability and the commitment to transparency, which in turn could enable data subjects to make informed choices regarding an organization’s service offerings.
The principle of accountability requires data controllers to engage in broad and complex activity, proportionate to the risks arising from the personal data controlled, being mainly the risks to the rights and freedoms of data subjects. It is clear from the common interpretation of the GDPR that – similar to other governance frameworks (such as the feedback and the continuous improvement of the information safety governance framework of ISO 27001) – the principle of accountability requires continuous assessment and improvement of a company’s data protection framework. Creating a data governance framework; measurement metrics to assess accountability; and disclosing internally and even externally the measurement of accountability may help companies attain a competitive edge while also enhancing GDPR compliance.
To view all formatting for this article (eg, tables, footnotes), please access the original here.