Proving Privacy – Assurance, Standards and Certification.

So you've got a kick ass Privacy Programme? Prove it!

GDPR compliance is behind you, and you've developed an awesome Privacy Programme across your organisation that has established, implemented, monitored and improved privacy management across your organisation. In all your contracts it says you will comply with the law, and what you've committed to contractually, and your new business partner is asking you to prove it. Your senior stakeholders, shareholders, bosses and management are asking how "compliant" you really are. Your customers are asking you to prove you take care of their data. Beyond that you want to sing out loud to the assembled public about how good you are. So that leaves the question of how to show this assurance - how to demonstrate compliance, how to gain a "badge" to show you are at the top of your privacy game.

And it is harder than you think. The law is open to interpretation. It is principle based, so there is no 100% compliant or yes/no answers to words like "adequate", "appropriate" and "necessary". Its application varies depending on what you do, with what data, where and why. The market is confusing, and you are being offered silver bullet solutions from tech vendors, cast iron guarantees of compliance by newly formed "GDPR experts" and "certified professionals", and even the regulator seems to be slow in any concrete enforcement decisions - with court case results to further define the law still years out. So what do you do?
  • Text Hover
There is of course a number of things you can do - however it is a journey of defining who your stakeholders are and what they need to be told, and what you want to tell them. The Information around assurance can be gathered from multiple sources, including;

• Your organisation itself

• Your vendors, and third-party processors

• External sources and reviews

• Certification and standards

Your organisation itself: I'm a big fan of the management system approach 'plan-do-check-act'. Most organisations are literally "stuck in the do" with few resources, dealing with things reactively. It takes a mature organisation to take the time to look at things proactively and "Plan" their way forwards, and an even greater one to "Check" that their plan worked effectively, and "acting" on improvement opportunities where they are identified. Monitoring and measuring your own operational privacy programme, looking at internal audit and management review are all ways to achieve control and improvement over your privacy risk management programme. Maturity models and benchmarking can not only demonstrate that you have a programme, but where it requires change, and how well it performs against others.

Vendors, processors and third parties: No organisation deals with everything itself anymore. Personal data moves constantly, and we have spent a lot of time looking at ensuring we have privacy within Contracts and Data Processing Agreements and addenda. However, we often then rely on the words in the contract rather than investigate the actions of our partners. Of course, here, assuring ourselves should all be based on risk - and the level of assurance we may want to receive should vary along with the risk they pose and the amount of personal data processing they perform. Assurance here can range from accepting third party certification, audits, meetings, monitoring and metrics, to challenging our vendors to back up their claims with testimonials and supplier management both before and after the commission of the contract.

External sources and reviews: Who do you trust to assess your compliance? How much assurance is gained by commissioning a third-party tool or service? How reliable is a third parties’ analysis of your processing, and are they willing to sign you off? Services here include audits from consultants, lawyers, our partner audits and review, product vendor reports, methodologies by big four and even regulator audits and inspections. Of course, these will all have a different audience you may wish to disclose their reports to and will carry different weights of recognition according to their independence and their status in the marketplace.

Certification and Standards: A new world of standards and Codes of Practices are emerging. Some are very industry specific, and others only address and aspect such as information security (ISO 27001) alone. Privacy Seals and vendor Trust Marks have been here for years, but are used for narrow purposes such as website "compliance" or a specific regulation or standard. The GDPR itself talks of supervisory body certification in article 43(1) , which looks a long way off arriving despite new EDPB guidance, and so it is to national accreditation certification under Article 43(2) we must look. These newer standards have wider scopes, such as ISO 29100, BS10012 and ISO 27552, but are little known and do not have wide adoption as yet - these seek to certify your operating management system, rather than any form of legal compliance. But even so, early adopters look to collect these badges as a form of external recognition, or to circumvent further inspections due to the third party

Selecting the right levels of assurance for your organisation will mean a thorough understanding of your stakeholders needs,

Selecting the right levels of assurance for your organisation will mean a thorough understanding of your stakeholders needs, and what information you will need to satisfy them. Join us at Leadership through Data, as we hold a one day guide to privacy assurance, where we take apart these topics and the management system assurance model, to help you to understand what assurance can be gained and whom it may satisfy. Gaining assurance not only proves that your organisation has done its homework and created something great, but also means you have the right information available to satisfy your accountability needs to "proactively demonstrate compliance". After all you've worked hard - why not show off a little?


Jacqueline StockwellJacqueline Stockwell

Jacqueline Stockwell

Jacqueline is highly qualified with an MSC in Healthcare Management, BA Hons in Business Management, and holds a BSC Certificate in Freedom of Information and a Data Protection qualification.