Is Your Company Accountable?
By Eileen Feretic
As more and more data streams through networks around the world, the risk of security breaches of personal and confidential information increases dramatically. It's up to enterprises to protect this information without impeding the flow of data--definitely not an easy task.
In "Data Protection Accountability: The Essential Elements," the Centre for Information Policy Leadership at Hunton & Williams (www.hunton.com/resources/sites/general.aspx?id=45) proposes accountability as a solution to this problem. (Accountability, according to the paper, is a concept that was first established in data protection by the Organization for Economic Cooperation and Development and is now a well-established principle.)
"At a time when the responsibility for data protection is under review, this paper charts the course for establishing accountability-based data protection and motivating stakeholders to take the important steps in regulating information management," said Executive Director Martin Abrams.
To provide some guidelines for establishing an accountability-based system, the center brought together international experts, who initiated the Galway Project in January 2009 "to define the essential elements of accountability and consider how an accountability approach to information privacy protection would work in practice. ... It involves setting privacy protection goals for companies based on criteria established in law, self-regulation and best practices, and vesting the organization with both the ability and the responsibility to determine appropriate, effective measures to reach those goals."
The project team also provided some elements that are essential components of accountability. They are:
1. Organization's commitment to accountability and adoption of internal policies consistent with external criteria 2. Mechanisms to put privacy policies into effect, including tools, training and education 3. Systems for internal, ongoing oversight and assurance reviews and external verification 4. Transparency and mechanisms for individual participation 5. Means for remediation and external enforcement.
Why should a company implement an accountability-based system? For one thing, it can safeguard its customers' personal information. For another, it can help protect the firm from data breaches that can result in lost business, unhappy customers, bad press and potentially debilitating lawsuits.