Accountable Executives = Accountable Privacy Programs￼
A Master Class in Establishing an Effective Privacy Program
DOJ Guidance on the evaluation of corporate compliance programs asks three critical questions: 1) is the program well designed, 2) is it earnestly applied, and 3) does it work in practice? Privacy authorities are increasingly adopting a very similar approach to data privacy program governance, implementation, and results.
As Information Accountability Foundation (IAF) president, Barb Lawler noted at the 2022 Summer Spokes Technology Conference (held June 22-23), “We know regulators – from California to Australia, and points in between – – are increasingly, not just interested in – but requiring organizations to prove that their comprehensive privacy programs are operationally effective, aligned with governance strategies, and accountable.”
This means corporate controls binding on even the most senior executives, needed investment across the organization, and a requirement for real-time performance data.
To explore the core elements and architecture of a demonstrable and accountable privacy program, Lawler and IAF Chief Strategist, Martin Abrams hosted Scott Taylor, Chief Privacy Officer of biopharmaceutical giant Merck & Co for a presentation on Accountable Executives = Accountable Privacy Programs which focuses on an in-depth case study of Merck’s program. It is a masterclass in establishing privacy program accountability, effectiveness, and demonstrability.
The Privacy Accountability Timeline
“A lot of folks think accountability came into fashion within the last five or six years, says Lawler, “and that really is not the case at all.”
“Looking back we can see that accountability as a governing principle for privacy and data protection dates to 1980 and the OECD guidelines,” notes Lawler. “And its first representation in national legislation was in Canada under PIPEDA in 2000 as a core principle organizations must follow. Then the APEC Privacy Guidelines of 2003, and so on, through the GDPR where accountability is interwoven throughout.
IAF’s Abrams and Merck’s Taylor worked together on “the accountability project” (at the time Taylor was CPO of Hewlett Packard), which was followed by Abrams’ work on the Essential Elements of Accountability (2009-20212): “A multi-stakeholder effort that brought together business, regulators, policymakers, academics, and advocates, defining what it meant to be ‘accountable,’ ‘responsible,’ and those elements necessary to actually demonstrating accountability,” says Lawler.
Elements of Demonstrable Privacy Accountability
“At the end of 2008, accountability had very little definition and that was particularly important for cross-border data transfers,” reminds IAF’s Abrams.
Taylor and I were actually meeting with a group of data protection authorities in Europe, led by the Irish Commissioner, and we said, ‘what if we had a global dialogue which really put some definition to what it means to be accountable when one is transferring data?’
The five essential elements came out of this process.
—Martin Abrams, IAF
What are those elements of accountability that demonstrate accountability? Lawler delineates:
- Organizational commitment (at the highest level) to fair processing, demonstrable accountability, and the adoption of internal policies consistent with external criteria and established fair processing principles.
- Mechanisms to put fair processing policies into effect, including risk-based adverse impact assessments, tools, training, and education.
“Not check-the-box kinds of activities,” avers Lawler, but integrated, and supported by,
- Internal review processes that assess higher risk FIPAs and the overall fair processing program.
- Individual and organizational demonstrability and the mechanisms for individual participation “that are framed, defined standardized, and can literally be shown. “Think about some of the documentation requirements we’ve seen more recently in GDPR,” notes Lawler. And finally,
- The means for remediation and external enforcement.
These are the metrics an organization can use to describe for the regulator why they should think of them as a responsible and answerable organization, says Abrams.
Merck case study: the strategic framework
You could argue that the ‘what’ is really the same for all of us, but how we implement is very contextual to different companies and industries.
So, this is just one example. It’s not right or wrong. It’s not better or worse. It’s just one example of how we’ve interpreted [these principles] and tried to build them into an internal program at Merck.
—Scott Taylor, Merck & Co.
“This strategic privacy framework is a reflection of what we were hearing from the regulators at the time, in terms of their high-level expectations of an accountable organization,” relates Taylor.
Any good program that’s accountable is going to have some type of oversight. The expectation is that all parts of the company that impact personally identifiable information will come together in shared decision-making that looks at both risks and opportunities.
You’re always balancing tensions between risks and benefits.
—Scott Taylor, Merck & Co.
Below that oversight layers are the three pillars that make up the traditional privacy program:
- Commitment: The policies and programs need to align external expectations (e.g., regulatory and consumer expectations) and be translated so that management understands it fully and can commit to transparency and accountability. “But I’ve always said that the ‘commitment pillar’ is nothing more than words if there isn’t something to put it into effect.”
- Implementation: This is the many different types of mechanisms to ensure those policies and commitments put in place are understandable to employees, and that their effectiveness is measurable both from a compliance and a business standpoint. “But implementation is a bit of a waste if you don’t have a way to validate that it’s actually turned out the way you expected.”
- Validation: More than just data indicating the commitment was correctly translated into action, it provides some of the best information in terms of elucidating any gaps you might have so you can continuously improve the program.
These three mechanisms supported by the overarching governance, opines Taylor, form the foundation of demonstrability – to both internal and external stakeholders – of the organization’s privacy program commitment and accountability.
“As simple as it may seem, everything anchors back to it,” says Taylor.
Merck case study: implementation
Accountability starts with accountable people…and for things to be truly accountable, people have to be measured on their success in upholding their piece of accountability.
—Scott Taylor, Merck & Co.
Accountability at Merck begins with the Corporate Compliance Objectives, relates Taylor. The set of objectives senior executives are measured against are very specific in terms of what and how. It is done on an annual basis, and it impacts compensation.
Importantly, cautions Taylor, “If you’re going to have a high-level objective that could impact people’s compensation, then it needs to be structured very well.”
The “binding mechanism” is the Merck Privacy Function Deployment Standard: the standard operating procedures (SOPs) that set out ten (10) elements for which senior executives are accountable. These SOPs detail what, how, and crucially, the tools and resources – including the assignment of Privacy Stewards – to support these efforts.
Supporting, and ensuring privacy is effective across all the businesses, Merck has 209 Privacy Stewards around the world. Each of whom undergo self-assessments against the 10 elements. The stewards spend anywhere from 25% to 100% of their time supporting privacy “in a very specific way.” Taylor details that Merck “provides their privacy stewards with very specific implementation standards and processes.
The privacy implementation network at Merck (at a high level) comprises:
- The Governance Body (comprising senior representatives appointed by the highest levels at Merck)
- The Central Privacy Office which oversees all aspects of that framework strategy and end-to-end management supported and held accountable by
- Critical Partners such as Procurement, Legal, Internal Audit, and Privacy Stewards
All of whom act in concert in a shared accountability with whom the Central Privacy Office maintains continuous bi-directional dialogue. This forms the people strategy, says Taylor. And everyone “operates off the same song sheet. No matter who you go to, you’re going to get the same answer.”
Finally, a program such as this cannot be done manually. It requires well-developed standards, policies, and procedures, the control sets, and crucially, the technology to support it.
It is complex, admits Taylor, and to manage that complexity Merck utilizes assistive technology, “in everything we do. So, “pretty much every requirement has a tool and an underlying process to support it. We’re trying to take manual out of the process and facilitate through workflows and technologies.”
As Taylor emphasizes, accountability is not “words on paper or pretty slides.” Rather it is a carefully architected program requiring the commitment of people, well-designed process, robust toolsets, and the binding mechanisms that transform intent into earnest application that works in practice. As Taylor notes, it is “complex,” but the equation is simple: Accountable People (+ the processes, tools, and binding mechanisms to support them) = Accountable Privacy. The results, of which there are many, include:
- Effective governance and oversight
- Greater visibility into processes
- Enhanced analytics
- Data-based decision making
- Solid metrics and KPIs
- Enhanced risk identification and mitigation capabilities
- Improved turn-around times (e.g., PIA, DSARs, ROPA)
- Improved third-party due diligence
- Better role-based privacy training
- Ability to implement timely and continuous improvement, and
- Transformation from reactive to proactive data privacy operations
The Merck case study truly is a masterclass in establishing privacy program accountability and demonstrability and what a mature program can be. It should be required viewing by all privacy professionals. Don’t wait. Access it here now.