By Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity
With the advent of the GDPR and the overwhelming attention it received, to many new privacy professionals, it may have seemed that it was the first privacy law ever to be passed. But there are over 700 hundred data privacy laws and regulations worldwide – some dating back to the ‘80s. The EU GDPR was the first law with global repercussions that required extensive organisational changes – and the fact that non-compliance could result in severe penalties made everyone take notice. Now that we are facing the ramp up to the CCPA (California Consumer Privacy Act), coming into effect January 1, 2020 (as well as other laws, like Brazil’s new data protection law), organisations are wondering how they can leverage all of the work they put into the GDPR to also comply with the CCPA and all of the other relevant privacy laws.
In this article, we will discuss, on a theoretical level, how an accountability approach to compliance can help you efficiently manage and scale your program. We will also cover the practical side of how to implement program changes. We will examine cases studies in which the Nymity Privacy Management Accountability Framework™ helped organisations take an accountability approach to the GDPRand prepare to leverage those activities for the CCPA and other new laws to come.
An accountability approach will work both for organisations that have made themselves GDPR ready, and for those that are just getting started with privacy compliance. In all cases, it will help prepare you to comply with multiple laws as well as ensure that you are ready for future laws.
What is Accountability?
Over the past decade, the concept of accountability emerged as a dominant theme in global privacy and data protection law, policy, and organizational practices and is considered fundamental to privacy management. It requires organizations to take a proactive and structured approach to privacy management through the implementation of appropriate and demonstrable privacy and data protection measures. It now has broad international support and has been adopted in the GDPR as a compliance obligation. The GDPR calls for organisations to put in place appropriate technical and organisational measures. Privacy offices dealing with multiple laws at the same time will benefit from having a core data protection program in place which will allow them to map to the requirements of the relevant legislation. This will also ensure they can demonstrate an ongoing capacity to comply with privacy laws and remain accountable.
Comparing Compliance Approaches
• Traditional Compliance Assessment Approach: this approach assesses compliance with each requirement individually.
Many organisations take the traditional compliance assessment approach. They identify all the laws that apply to them and determine the activities to put in place to comply with those laws. This works fine if you are in a single or a few jurisdictions and have many resources at your disposal, but it is difficult to sustain over time. With every new law, you need to start from the beginning and map requirements to activities, which causes a great deal of duplicate effort.
• Rationalised Rules/Requirements Approach: this approach identifies common legal requirement elements and address outliers.
In the “rationalised rules/requirements” approach (historically popular in the financial industry), all relevant new laws are mapped against existing ones and a compliance rule set is created to address all of the common legal compliance elements in those laws. There are many disadvantages to this approach. It takes a great deal of effort to devise a rule set that only addresses the common elements, and then you still need to address the outliers. Plus, the more laws there are, the more unwieldy this approach becomes.
• Accountability-Based Approach: One privacy program to comply with multiple laws.
This approach begins with using a privacy frameworkto embed privacy management activities/technical and organisational measures throughout your organisation (i.e. a privacy program). The privacy program serves as a strategic framework to help organisations put in place a robust privacy infrastructure which will facilitate compliance with multiple law and the framework is used to guide specific privacy management activities/organisational measures that you embed throughout your organisation. As new laws come into effect, you can leverage the work that you have already done to comply with those laws.
Comparing GDPR & CCPA
You may be surprised (and relieved) to learn that many of the policies and procedures that you have put in place for the GDPR can be used for the CCPA, as well.
Nymity has mapped the CCPAto the Nymity Privacy Management Accountability Framework™.We have identified nine Articles that require evidence of a privacy management activity/technical and organisational measure in order to demonstrate compliance. Of those nine activities/measures, seven are also relevant under GDPR and are thus likely to already be part of your privacy program.
Overlapping Privacy Management Activities Shared Between the GDPR and CCPA
• Maintain a data privacy notice
• Maintain procedures to respond to requests for access to personal data
• Maintain policies/procedures for the collection and use of personal data of children and minors
• Maintain policies/procedures for obtaining valid consent
• Maintain procedures to respond to requests to opt–out of, restrict, or object to processing
• Maintain procedures to respond to requests for data portability
• Maintain procedures to respond to requests to be forgotten or for erasure of data
Privacy Management Activities that Do Not Overlap between the GDPR and CCPA
• Conduct privacy training reflecting job-specific content
• Maintain procedures to respond to requests for information
As you can see above, most of the privacy management activities that you may have in place for the GDPR can be extended or reused for the CCPA if you are taking an accountability approach to compliance. An accountability approach will work both for organisations that have made themselves GDPR ready, and for those that are just getting started with privacy compliance. In all cases, it will prepare you to comply with multiple laws and be ready for new laws coming down the road.
The Accountability Approach to Complying with Multiple Laws
All of the activities required to manage privacy and appropriately process personal data have been identified and grouped into 13 categories in the Nymity Privacy Management Accountability Framework™, a single framework for building and maintaining a privacy program. The following are two business cases where the Nymity Framework™ has helped companies leverage their GDPR compliance initiatives to be ready to comply with multiple laws.
Blue Ocean Enterprises
Blue Ocean provides services to a privately held portfolio of companies. They used Nymity’s Framework™ to implement an agile privacy program that can respond to changes in laws and regulations, emerging threats, and consumer expectations. With a portfolio of both mature companies and start-ups, they have implemented a 4-step privacy program lifecycle:
1. Identify requirements
2. Assess their program against the Nymity Framework™
3. Remediate the gaps
4. Operate the program
Using Nymity’s Framework™, Blue Ocean has found that implementing a single technical and organisational measure could help them comply with several laws. And if they find a gap against the Framework, when they fill that gap for one law, it could also fill that gap for other laws at the same time.
With offices in over 50 countries around the world, MHE has a broad scope of privacy laws with which to comply. When they set out to centralise the privacy programs from their individual offices, they used the Nymity Framework™ to build all of their documentation for a privacy program that would work for every jurisdiction.