The observational age that drives change in all avenues of human life requires data governance marked by an orderly transition to demonstrable accountability. Provable responsibility means new ways of thinking about fair processing legislation that is driven by clear objectives and investments in the regulatory infrastructure. Accountable organizations during this transitional period will need demonstrable operational efficiencies as organizations wrestle with thorny issues like disease free human spaces during a global pandemic. These preceding three sentences summarize the IAF annual summit held virtually over three days in April.
As the title of the summit, “Mapping a Pathway for Functional Accountability Through the Data Protection Chaos,” indicates, the summit looked at three different but related issues each of its three days:
- The first day took a look at demonstrable accountability from the perspective of both organizations building demonstrable structures and regulators demanding clear evidence of those structures and risk processes. Since both organizations and regulators frequently lack the resources to meet these goals, two panels, one consisting of companies and the other made up of regulators, responded. Representatives of leading companies discussed how their companies use a trust model or code in the operation of their businesses that also helps protect the privacy of their customers’ personal information. The regulators discussed how they look at evidence of demonstrable accountability which can include privacy impact assessments and data protection impact assessments, audits, and compliance with codes of conduct and certification schemes.
- Day two focused on whether information policy legislation should be based on incremental or transformational changes to existing laws. The first panel discussion began with principles for accountability-based legislation and flowed into the need for clear objectives when designing legislation. The second panel weighed whether objective measures could be used to make subjective decisions on fair processing program adequacy. This session illuminated the need to go beyond enforcement and look to oversight as a means of achieving fair practices. The day finished with a panel discussion on whether the drivers for real changes in privacy approaches could overcome the natural nature of law to revert to legacy models even when those models are out of date.
- Day three focused on operational efficiency to smooth the way to accountability implementation. It began with a prediction by the President and CEO of the IAPP that the privacy field needs 500,000 new privacy professionals because new privacy laws have created a growing demand. This prediction is consistent with day one’s discussion about skill gaps at both companies and regulatory agencies. Next a panel discussed how internal and external audit can provide demonstrable proof points and made the case that sound controls are necessary for performance reviews. The next panel focused on efficiency in vendor oversight and reviews, a pressing issue for organizations with thousands of vendors. The last panel used vaccine passports as an example of demonstrable accountability to illustrate the issues that need to be addressed and how to address them (e.g., don’t confuse travel and privacy issues, the necessity for accuracy of identity when using health data, equity issues).
What linked the days together was the complexity of data protection in an observational age where simple responses aren’t up to the trust and operational challenges in what has traditionally been called privacy and data protection. A complex observational world that drives predictive solutions requires equally complex controls. This complexity in turn requires investments in change. Additional qualified resources are needed to make an accountability-based system work, hard operational choices will need to be made when new requirements overwhelm the old ones, and transformational legislation is necessary even though policy makers only want to discuss enhancements to individual control.
Where will these discussions take the IAF research agenda? Future policy calls and research projects related to what the IAF learned at the summit will be announced in future blogs.