Governance and accountability refers to the policies, procedures, and processes that an organization puts in place to ensure that its data privacy program is effective and compliant with relevant laws and regulations. It also includes the mechanisms for ensuring that individuals and teams within the organization are held accountable for meeting the organization’s privacy obligations. Without such a system in place, proving compliance, ensuring follow-through, and identifying compliance gaps are significantly more challenging.
A privacy program with immature governance and accountability practices has little or no formal structure for overseeing data privacy at the organization, and the individuals who are accountable for data privacy at the organization and team level is unclear or undefined. There Is likely no internal auditing of privacy policy adherence, or if there is, it is done in a retroactive manner. When internal noncompliance is identified, there may be no follow-up or remediation efforts. It may be the case that individuals who ought to be accountable for privacy in their domain are unaware of privacy policies and procedures at all.
In contrast, mature governance and accountability practices include clear policies and procedures for handling personal data, oversight mechanisms to ensure compliance with those policies, and accountability structures to ensure that individuals and teams within the organization are held accountable for meeting their privacy obligations. The organization regularly assesses its privacy program to identify and address any gaps, and it has mechanisms in place to monitor and report on privacy risks and incidents.
Establishing strong governance and accountability practices can seem abstract at first, but privacy professionals can mature these practices through the following actions: