In today’s digital society, where we trust organizations with our personal information on a daily basis, the only thing we can truly rely upon for our data protection is the accountability of those organizations. Where Canadian privacy commissioners (Federal, B.C. and Alberta jointly) made a small ripple in the privacy pond in 2012 by publishing a key guidance document for privacy officers, called Getting Accountability Right with a Privacy Management Program, Europe’s General Data Protection Regulation (GDPR) has made a significant splash. Organizational accountability offers a comprehensive approach to data protection and the ‘key building blocks’ outlined in Canada’s guidance document offers critical elements that bake privacy consciousness into the organizational culture. Many of the same elements, such as leadership and oversight (the tone at the top), conducting data protection risk assessments, policies and procedures relating to data processing, transparency, strong security controls, training and awareness and service provider oversight are at the very heart of the GDPR.
The key difference is that the GDPR has teeth. The threat of enforcement actions by data protection authorities (DPAs) in the European member states, and the significant fines that DPAs can impose, has meant accountability is taken more seriously than ever before. Given that the GDPR has extraterritorial impact – applying to any organization that processes personal data about EU residents – the regulation has resulted in a heightened interest in privacy globally. In fact, the GDPR specifically outlines that organizational accountability is one of the mitigating factors taken into consideration in setting fines for non-compliance. Canada’s Privacy Commissioner has been asserting the need for greater enforcement powers for almost two decades.
The GDPR has set a new global standard that raises the bar for privacy protection: Selecting a data protection officer who sees privacy as a core business value, above and beyond a minimal legal requirement, and selecting data processors who also exhibit strong accountability, have become matters of due diligence and best practice.
Who benefits? The end consumer of course. And now we’re on the path to getting accountability right…
For assistance with your GDPR compliance responsibilities, contact PRIVATECH.1