The Australian and French privacy regulators have also respectively issued guidance on getting accountability right but take a slightly different approach compared to the Canadian, Hong Kong and Colombian regulators in that they do not expressly refer to, or promote the implementation of, privacy management programs.
The French Approach
The French data protection authority was the first European privacy regulator to release a standard outlining what accountability means in practice. The French Standard, released in January 2015, is intended to assist organisations in preparing for their future accountability obligations under the General Data Protection Regulation.
Companies that demonstrate compliance with the 25 requirements of the French Standard will be able to obtain an accountability seal certifying their compliance. The French regulator has just released (in August 2015) the standard under which private and public sector organisations may obtain privacy seals certifying their privacy governance procedures.
While the French accountability standard does not refer to privacy management programs, the requirements under the French accountability standard largely mirror those of the respective Canadian, Hong Kong and Colombian Guides. For example, they include having adequate internal and external privacy policies, appointing an adequately trained data protection officer responsible for implementing the organisation’s privacy measures, training staff on privacy issues, undertaking privacy risk assessments, creating a comprehensive map of data processing operations within the organisation, putting in place processes for dealing with complaints and enquiries, generating and retaining logs relating to security threats and adopting and implementing a crisis management plan to handle data breaches.
The Australian Approach
The Australian Privacy Management Framework promotes the idea that “good privacy management” requires organisations to implement certain key steps and commitments. It sets out the following four steps for organisations to take to ensure they practise good privacy governance and meet their compliance obligations.
Firstly, organisations should “embed a culture of privacy that enables compliance”. This requires organisations to understand its privacy obligations, allocate responsibility for privacy management to designated staff, implement reporting mechanisms, adopt a privacy-by-design approach, and develop and implement a privacy management plan (which does not appear to be the same as PMP).
Secondly, organisations are encouraged to “establish robust and effective privacy practices, procedures and systems”. These compare to the Canadian, Hong Kong and Colombian guides’ program controls and include keeping an up-to-date personal data inventory, implementing processes which ensure compliant personal information handling practices, promoting privacy awareness within the organisation, developing and implementing good internal privacy policies, implementing risk management processes, undertaking privacy impact assessments, establishing processes for handling privacy enquiries and complaints, and developing data breach response plans.
Thirdly, organisations should “evaluate their privacy processes to ensure continued effectiveness”. In addition to regularly monitoring and reviewing their privacy processes, the Framework advises organisations to document privacy compliance and measure their performance.
As the fourth step, organisations are encouraged to “enhance their response to privacy issues”, for example, by changing privacy practices in response to the evaluation results, considering external assessments of privacy practices and monitoring and addressing new security risks and threats.
While the French and Australian regulators in their guidance documents diverge from the approach taken by the Canadian, Hong Kong and Colombian counterparts, the differences seem to lie in the form rather than in the substance.
Overall, regulators in Europe, Asia and Latin America are increasingly embracing the new and expanded meaning of the accountability principle as codified in the 2013 OECD Guidelines forcing organisations to take a more proactive, systematic and comprehensive approach to privacy compliance. No doubt – more regulators will follow those that have taken the lead on accountability guides. Organisations should keep a close eye on their national regulators. But in the absence of local guidelines, other regulators’ guides provide helpful guidance.