In a recent article, Sheila Colclasure, Senior Vice President and Global Public Policy Officer at LiveRamp, wrote:  “If you want your company to exist now and in  the future, you will have to think and act with data. . . . With this [responsibility] comes accountability . . . . Business leaders must think strategically about the reality of becoming data-driven in a responsible way to deliver benefits and prevent harm.”

This pivot (back) to accountability is reinforcing “accountability” as a foundation of data protection. This is happening for a number of reasons. The most important reason is the growing use and impact data is having on individuals and society. However, it is useful to reflect back on the initial focus on accountability through the lens of the Global Accountability Dialogue to explore why this pivot it is taking place.  

History of Accountability

Accountability has been a data protection principle since the 1980 adoption of the OECD Guidelines.  Canada adopted accountability explicitly as part of 1996 standards and the 2000 Personal Information Protection and Electronic Documents Act.  APEC adopted the OECD accountability principle as part of its 2004 privacy framework.  Accountability was implicit in the European country laws enacted after the 1995 EU Directive.  The Spanish Data Protection Agency’s Joint Proposal for an International Privacy Standard included accountability when it was released as the Madrid Resolution.

Despite its repeated recognition as a critical component of effective data protection, there was no clear definition or guidance on how it might be demonstrated or measured. This was the genesis of the Accountability Project[1] initiated in January 2009 by an international group of experts from government, industry and academia to define the essential elements of accountability and consider how an accountability approach to information privacy  and data protection would work in practice. At that time, while there was an emergence of the importance of data to economic development, the issue of the day was centered on cross border data flows and, at some level, the need to create accountable and interoperable data protection systems.

What emerged, as a result of this project in jurisdictions such as Canada and Hong Kong, was specific guidance to business as to regulator expectations on accountability. This guidance, and in the U.S. more explicit laws and privacy enforcement actions by, for example, the FTC, lead to, at least anecdotally, more mature privacy programs inside organizations. For example, and again anecdotally, the adoption of Privacy Impact Assessments seemed to be more prevalent in Canadian and in U.S. organizations than in Europe. Despite the recognition that privacy and data protection programs require a programmatic approach to accomplish their core objectives and despite the many specific process and procedure requirements embedded in the GDPR, a summary of those requirements tied to “accountability” does not exist. And perhaps more relevant, there has been a relative lack of guidance to European business as to the design and components of an accountable, comprehensive data protection program.

---

[1] The Accountability Project eventually was incorporated as the Information Accountability Foundation

Business Environment Today

In 2019, we are in a different place relative to the importance data is playing as a driver of economic growth and innovation and as an integral part of our daily lives as individuals and consumers. Sensors, Artificial Intelligence, Machine Learning enabling advanced analytics and decision making are now mainstays of our digital environment. The importance of data is only going to increase. According to PWC in its Trusted Data Optimization work, 86 percent of businesses say 2019 is the year in which they will race to extract value from data. These companies see the potential on, average, to reduce total annual costs by a third and to increase incremental revenue by over 30 percent.  These same businesses also highlight a number of challenges to realizing on this goal. In addition to core data problems such as reliability, 33 percent of businesses cite their inability to address new regulations (and emerging requirements such as ethical data processing) affecting privacy and data protection as a barrier. One way to summarize the current state is: data-rich, but information-poor and inadequately protected. 60 percent of business leaders lack full confidence or certainty that their company has a comprehensive program to address data security and privacy, and only 18 percent of CEOs strongly agree their organization is adapting the way it monetizes data to better address data privacy and ethics.

Accountability Today

It is clear that for businesses to succeed in optimizing data in a trusted way, they will need to enhance accountability mechanisms both as a way of facilitating internal risk decision-making needs and as a way of meeting market place expectations. The more data intensive a business is, the more risk it creates and by extension the more programmatic ways it needs to allow for trusted data optimization.

The Colclasure article encompasses many parts of the IAFs work on Data Stewardship Accountability. Colclasure describes the need for several operational components that map to IAF work such as ethical data impact assessments and oversight and ethical sourcing and partner accountability.

These “data” trends have advanced other trends in data protection. In 2009 the focus on accountability was positioned as supporting the way individual rights had been thought about. These rights, at the time, were heavily centered around individual control. Today, the complexities of data flows and use have evolved the way individual participation and organizational obligations are thought about. This has led the IAF to suggest principles that update both parts. The first part describes the rights necessary for individuals to function with confidence in our data driven world.  The second part is focused on the obligations that organizations must honor to process and use data in a legitimate and responsible manner.

In the IAF’s blog, Which Accountability Category Do You Fit In, there were two challenges addressed. One was the challenge of translating principles into legislation and the other was the question of whether an organization’s level of data processing required core accountability elements or Accountability 2.0 (Data Stewardship Accountability) that addresses fair or ethical data processing. These two challenge areas are inter-twined. But as the IAF works though the details to address both sides, it is clear the business need and public policy pivot is going to increase the relative focus on accountability. While the IAF is helping with research and education to assist in effective and reasonable public policy in this space, smart businesses are getting ahead of the trend to best facilitate trusted data optimization by implementing accountability 2.0.