On June 3, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published its report, What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework (“Report”). The Report consolidates the findings of CIPL’s Accountability Mapping Project launched in September 2019, which is part of CIPL’s broader work on the central role of organizational accountability in data privacy.

The main objective of the Report is to promote organizational accountability in data privacy as an essential prerequisite for the 4th Industrial Revolution. CIPL has mapped organizations’ real data privacy practices to the CIPL Accountability Framework to provide concrete examples of how to implement effective, demonstrable and enforceable accountability measures through organizations’ privacy management and compliance programs. The Report also includes 46 case studies from 17 participating organizations from different sectors, geographies and sizes – including two SMEs and a university.

According to Bojana Bellamy, President of CIPL:

“Accountability has been championed by visionary senior leaders and chief privacy officers in the world’s leading companies. It has also been encouraged by many forward-thinking data privacy regulators and lawmakers in the U.S., Canada, Europe, Asia-Pacific and Latin America. Yet, there has been no formal consensus, nor consistent evidence of what data privacy accountability means in practice.”

The Report also outlines 10 common trends within accountable organizations:

  1. Accountable organizations view accountability as a journey and an internal change management process to embed data privacy in the company’s DNA that goes beyond a one-moment-in-time checkbox compliance exercise.
  2. Project participants consider the CIPL Accountability Framework to be an ideal and well-established architecture to build, organize, measure and communicate an effective data privacy management program that translates legal requirements into actionable controls.
  3. Accountable organizations and privacy officers recognize accountability as a business topic and driver, enabling responsible innovation and business sustainability.
  4. Project participants reported that accountability results in business benefits and efficiencies by reducing delays in sales, reducing the number and cost of data breaches, scaling compliance activities and improving overall operational efficiencies.
  5. Processors also are strongly embracing accountability, as it enables them to differentiate themselves in the marketplace and build trust in the digital supply chain with clients who are looking for accountable business partners to fulfill their own obligations.
  6. Senior leaders recognize the importance of “tone from the top” and leading by example to drive internal cultural change towards data protection.
  7. Accountability is sector agnostic and scalable, as it can be implemented by organizations of all types, sizes, sectors (including the public sector), geographical footprints and varying corporate cultures.
  8. Accountable organizations proactively manage privacy risks to individuals and adopt a risk-based approach to their data privacy management program.
  9. Senior management and boards are familiar with accountability frameworks, given that they also are used in other compliance areas such as anti-corruption, anti-money laundering, competition law, export controls and information security.
  10. Accountable organizations are driving global convergence in data privacy laws and best practices, which is also helpful for national regulators around the globe who are able to align their views and expectations of data privacy compliance activities.

The participating organizations in the CIPL Accountability Mapping Project are: Accenture, The Adecco Group, BNP Paribas, Boeing, Cisco Systems, Dropbox, Doctrine, Erasmus University Rotterdam, Google, Mastercard, Novartis, Refinitiv, Symcor, Teleperformance, Twitter, Vodafone and Yoti.

Download a copy of the Accountability Mapping Report.