WIXLIB

II. General Findings Applicable To All Accountable Organisations5. Processors are also strongly embracing accountability. It enables themto differentiate in the marketplace and build trust in the digital supply chainwith clients who are looking for accountable business partners to fulfil theirown obligations. Processors take steps to be accountable even when they maynot be legally or contractually required to do so. Many see the value of externalcertifications to demonstrate data privacy accountability to their clients andbusiness partners.6. In all the participating organisations, senior leaders recognise theimportance of “tone from the top” and leading by example. Theyarticulate clearly the importance of data privacy and tie it to the strategicbusiness objectives and corporate values. As a consequence, employeesunderstand that protecting personal data and practicing responsible datause are a collective effort and everyone’s responsibility (and not only theresponsibility of privacy officers and legal teams). In turn, this cascadingdownwards of accountability goals and behaviours brings about a real changeof culture in the organisation and increases trustworthiness with customers,clients and business partners.“If you’re doing privacy just for compliance, you’ve already failed.Privacy is an ethical responsibility and business imperative”.– Harvey Jang, Vice President & Chief Privacy Officer, Cisco7. Accountability is sector agnostic and scalable. Our mapping exerciserevealed that organisations of all types, sizes, sectors (including the publicsector), geographical footprints and varying corporate cultures can developand implement an accountable DPMP. The programme, the specific activities(policies, procedures, controls and tools) and the human and financialresources will be different, appropriate to the specific context, risks, goalsand size of each organisation. In particular, while smaller organisations canand do take steps to be accountable, they calibrate measures differentlythan larger, multinational organisations, sometimes with more agility. But theoverall accountability architecture, as suggested by the CIPL AccountabilityFramework, can be the same, irrespective of their industry sector and size.8. All the participating organisations proactively manage privacy risks andadopt a risk-based approach to their DPMP. They build and implementtheir DPMP and activities taking into account the level of risk of their processingoperations to individuals, as well as the risks to their organisations. Riskmanagement enables them to prioritise their accountability measures andmake their programme more effective in practice.8

II. General Findings Applicable To All Accountable Organisations9. Accountability frameworks, such as the CIPL Accountability Framework,are law-agnostic. Organisations report that they use internally similaraccountability frameworks in other areas of corporate compliance, such asanticorruption, anti-money laundering, competition law, export controls andinformation security. This makes it more familiar for senior management andboards, and enables consistent reporting on, and communication concerning,all the corporate risks and focus areas.10. Accountable organisations are driving global convergence in dataprivacy laws and best practices. Accountable organisations build andimplement a single global DPMP with a common set of controls, proceduresand tools, often based on converging norms, to address legal requirementsin all countries where they operate as consistently as possible. This makes iteasier to promote, communicate and monitor a single set of best practices.This is also helpful for national regulators around the globe, as they are ableto align their views and expectations of data privacy compliance activities asthey witness and work with consistent and global accountability frameworks.“Data protection and privacy are core to our business as a professionalservices company. Building our data privacy program around companyvalues, our ethics code and accountability globally, helps us applythe same high standards everywhere—no matter how developedthe law in a country might be”.– Florian Thoma, Senior Director - Global Data Privacy, Accenture9

III. Specific Findings And Examples OfEffective AccountabilityCase Study 1. Data Privacy madeNo.1 corporate priorityThe CEO of an organisation addeddata privacy as the No.1 priority forall its employees in 2020, measuredby specific KPIs. Some teams havebeen directed to spend a minimumof 30% of their annual resourceson data privacy. In the previousyear, 2019, data privacy was made apriority for all engineering teams.Case Study 2. “What is privacyfor you?” – Short videos withexecutivesAn organisation recorded a nonrehearsed, spontaneous shortvideo with the CFO and othersenior executives. They were askedquestions such as “What is privacyfor you?”, “How has privacy changedyour job?”, “Why do you care aboutprivacy?” It has been the most-seenvideo campaign in the history of theorganisation.Case Study 3. Code of Conduct forAI and big data with appropriateoversightAn organisation is drafting an internalcode of conduct for research basedon big data and Artificial Intelligence.It has appointed a privacy andethics board, with an efficient andtransparent procedure for approvalof projects1. Leadership & OversightLeadership and oversight are the anchor of organisational accountability. Theydefine the organisation’s ambition, commitment and governance, so that the DPMPand data privacy procedures and controls are effective and embedded within itsculture.Through the accountability mapping exercise, CIPL has found certain commonfeatures of leadership and oversight in all the participating organisations. Theseinclude organisation leaders making a clear and formalised commitment todata privacy protection; establishing an internal data privacy network thatincludes individuals whose primary responsibility is data privacy; putting in placecomprehensive and effective DPMPs; and ensuring that there is executive-leveloversight of data privacy activities.1.1 Committing from the top (“Tone from the Top”)We have observed that organisations’ boards and senior leaders specificallycommit to data privacy in many different ways, which results in data privacybecoming a mandate for the entire organisation. Commonly and traditionally,boards and senior executives address data privacy as risk and compliance topics.However, increasingly, they also address it as part of a broader business and datastrategy imperative, as well as part of the organisation’s digital trust agenda. Inmany cases, senior leaders link data privacy to the organisation’s code of businesspractices and corporate values, which must be followed by all employees in theirdaily activities.Often, senior leaders require that data privacy be included in the top prioritiesand performance goals of all senior executives, which they then cascade to theirteams and other employees. In some organisations, senior executives are requiredto complete an annual personal certification that they comply with data privacypolicy and programme requirements (among some other key corporate focus andcompliance areas).Our mapping exercise revealed that in all participating organisations, CEOs andsenior leadership communicate regularly on the importance of data privacy to theentire organisation through the intranet, blog posts, videos and emails. In particular,10

III. Specific Findings And Examples Of Effective AccountabilityCase Study 4. CEO ensures dataprivacy is a priority for executivesThe CEO of a business-to-businessorganisation sees accountabilityand data privacy as a personalresponsibility as well as a strategicimperative. She takes efforts tocascade this priority down toexecutives by addressing thesetopics in senior leadership meetings,giving formal statements at theoccasion of the Privacy Day inJanuary, etc. In addition, the budgetallocated to the CPO comes directlyfrom the CEO.Case Study 5. Real decisionmaking power of the CPOA CPO is the “decider” with 51% ofthe vote for decisions concerningdata privacy matters.Case Study 6. The CPO has thoughtleadership in the mandateThe CPO of a multinational businessto-business organisation has25% of her mandate assigned tothought leadership and regulatoryengagement, with a special budget.The CPO sets the priorities forexternal engagements basedon market knowledge, peer andcompetitor activities and regulatoryand legal developments.Case Study 7. The global DPOultimately reports to the CEOIn an organisation, data privacy is theonly area of law that is handled bya global function, led by the globalstatutory DPO with all local privacyleads reporting directly to her. Shereports to the general counsel, whoreports to the CEO.CEOs in these organisations lead by example and are vocal about the importance ofdata privacy, both internally and externally and often on a personal level. They alsoget personally involved in data privacy activities, such as by attending oversightcommittee meetings, reviewing responses to regulatory filings and requestingspecial briefings and reports on privacy.1.2 Individuals responsible for data privacy—privacy officersPrivacy officers are the individuals most frequently responsible for data privacywithin organisations. They are senior leaders responsible for setting data privacystrategy, and for building, implementing and overseeing DPMPs. They oftensit within existing corporate functions (e.g. legal, compliance, risk, products,operations) or, in rarer cases, are a stand-alone function. Privacy officers mayalso have responsibilities for external engagement and representation, includingregulatory engagement with data protection authorities (DPAs), policymakers andstandards bodies.Privacy officers are positioned in the organisation in a manner that allows themto exercise their role effectively and to have authority and impact. They generallyescalate risks and issues to senior management and in some cases to the boardand may even have authority to say no.With data privacy-related matters arising across the entire organisation, privacyofficers often have to work in a cross-functional manner and engage regularly withother business and functional leaders. Depending on the organisational structure,they leverage existing internal steering or oversight committees, or set up specificones, to review issues related to data privacy and ethics.“Privacy officers should aim to build sustainable privacy governanceframeworks or programmes that embed data privacy complianceand make it business as usual”.6– Emma Butler, Data Protection Officer, YotiJust like with the “tone from the top”, many organisations insist on the importanceof “tone from the middle” and privacy officers are a key component of this. Thishelps to make privacy accountability everybody’s responsibility and results in amore effective DPMP.Reporting lines of privacy officers and reporting toolsOrganisations set up different internal reporting lines for privacy officers that areadapted to their business, corporate structure and culture and risk profile. Privacyofficers regularly report into legal, compliance, general secretariat, cyber, IT or risk.In all cases, they are positioned between just one to three levels down from the topmanagement/CEO.11

III. Specific Findings And Examples Of EffectiveI. SampleAccountabilityHeaderCase Study 8. Encouragingemployees to pursue a dataprivacy careerAn organisation has developeda programme to encourageemployees to follow a data privacycareer. Interested employeeswho sign up to the programmereceive privacy training and aregiven opportunities to get certifiedin privacy. They also commit toraising awareness of privacy to thebusiness. The organisation is furtherconsidering sending top employeesto secondments with the UKInformation Commissioners’ Office.Case Study 9. CPO reporting to theboardA CPO provides the board a regularreporting on the risks to individualsand the organisation linked tothe personal data processingoperations. Risks are classifiedand measured quantitatively. Therisk is given a rating from 1 to 5 forboth likelihood and consequence.A “5” in consequence could meanthat significant regulatory fines arepossible, but also that there is apossibility of expensive litigation orsignificant negative impacts on stockprice or company brand. A “5” inlikelihood would mean that a seriousincident is highly probable or nearcertain and a “1” would mean thatcurrent controls would prevent mostserious incidents.In some organisations, privacy officers report on their work directly to the CEO orto oversight boards to provide status updates on the DPMP or escalate strategicdecisions. Some organisations also mandate regular reporting at local and regionalmanagement levels (e.g. to local boards, local managing directors, business orproduct managers).Organisations have adopted and/or developed specific tools to support oversightand reporting. These include visual dashboards, key performance indicators (KPIs),controls, third-party support (such as auditors’ and consultants’ reports). Somemetrics used in these tools include: Percentage of progress on risk assessments; Privacy-related risks and issues identified; Number of data breaches; Number and results of Privacy Impact Assessments (PIAs) or Data ProtectionImpact Assessments (DPIAs); Number and types of privacy complaints and enquiries received; Number of individuals exercising their rights (access, correction, deletion,objection); Numbers and type of regulatory interaction and investigations; and Percentage of completion of mandatory training.Support to privacy officers at local and business levelDue to the number of tasks required of privacy officers, organisations often provideextra support to them at the local/geographical and business levels. This also benefitsthe organisation’s accountability in general, as it cascades the responsibilities andembeds a culture of data privacy more deeply within the organisation.Individuals who support privacy officers locally or at the business level can have: Different titles, such as privacy lead or privacy ambassador; Different levels of seniority; Privacy responsibilities on either full-time or part-time basis; and Different backgrounds (e.g. engineers, lawyers, business, etc.).Their responsibilities include: Acting as the privacy voice to front-line functions and day-to-day operations; Addressing privacy questions; Identifying and resolving privacy issues at a local level; and Escalating privacy risks to privacy officers.12

III. Specific Findings And Examples Of EffectiveI. SampleAccountabilityHeaderCase Study 10. Privacy trainingand certifications provided to allemployeesAn organisation requires all membersof its extended privacy team(including lawyers and engineers)to complete internal basic training,obtain IAPP CIPP certifications andparticipate in a half-day privacyengineering workshop/training.This training is also made availableand optional for all other interestedemployees. The organisationhas sponsored more than 200certifications.Case Study 11. A DPMP helpedan organisation obtain a privacycertificationA business-to-business organisationhas recently obtained a privacycertification for all its activitiesglobally that required it to maintaina global DPMP. The organisation,however, already had a matureaccountability-based DPMP in place.It was able to leverage it and speedup the certification approval.Case Study 12. A look at aninternal ethics and trustcommitteeAn organisation has set upan internal ethics and trustcommittee. The organisationseeks representation from acrossthe business as well as diversitywhen designating members to thiscommittee, which includes theCEO, the DPO and senior managersacross the business. One of theresponsibilities of the committee isto develop an ethics framework.Investing in data privacy talentIn order to drive accountability deeper into the organisation, organisations makeefforts to build and strengthen their internal privacy talent and networks. Thisincludes making data privacy-related positions attractive to employees as part oftalent management and presenting them as a career opportunity. They also providetraining and certification opportunities to employees and enable them to attendprivacy conferences and events and engage with the wider privacy community.“Privacy officers meet regularly to discuss privacy risks, and are betterrecognised and acknowledged by other employees in the organisation.Bringing them together in a team gives them a feeling of belonging and keepsthem motivated that their work is having a positive impact”.– Marlon Domingus, Data Protection Officer, Erasmus University RotterdamPrivacy officers regularly organise internal meetings with their teammates responsiblefor data privacy (e.g. privacy forums, privacy off-sites, privacy fairs, DPO days orannual meetings). During these meetings, they share best practices, define theirannual strategy, assess the state of the DPMP, define common best practices andstandards, issue concrete deliverables applicable throughout the organisation andbuild solutions together to improve it. These can be online or face-to-face, regionalor global gatherings. Some organisations also invite external experts and regulatorsto deliver presentations on hot topics.1.3 Establishing effective Data Privacy Management Programmes(DPMPs) and governanceEffective accountability requires the implementation of DPMPs, which can includethe designation of oversight committees as well as the establishment of appropriateprivacy governance.Implementing DPMPsAll organisations that took part in the CIPL accountability mapping project have putin place comprehensive DPMPs. These DPMPs vary per organisation, but all coverin their own ways all elements of the CIPL Accountability Framework (See Figure 1above). When setting up DPM

organisations truly embedded data privacy accountability in their corporate DNA. Finally, we were able to put a finger on the organisational accountability pulse and get to the bottom of what best in class data privacy practices look like. I am excited and proud to share this report with you.