00:12
Adam Stofsky
Shannon, one of the core principles, sort of global principles of privacy law is accountability. Can you kind of just walk us through just what that means?
00:25
Shannon Yavorsky
Sure. In the context of data protection and privacy, accountability really refers to the principle that organizations are responsible for demonstrating their compliance with data protection regulations and ensuring that they handle personal data in a lawful manner. It's often a key component of data protection frameworks like the GDPR, and it's increasingly turning up in US laws as well. Some of the key aspects of accountability from a data protection perspective include things like ensuring you have data protection policies and procedures in place, you've carried out data protection impact assessments, and you operationalize the core privacy principles like data minimization, storage limitation, purpose limitation, consent and transparency is another one. So ensuring that you're being transparent with people and have a privacy notice in place.
01:24
Shannon Yavorsky
For me, accountability is really about telling your data protection compliance story, so that if a regulator comes knocking, you're able to say, here are the steps that I took to comply with the law, and maybe there was a violation nevertheless, but you're able to show that you took steps to mitigate the risks.
01:43
Adam Stofsky
Interesting, when I first heard accountability, I just assumed it kind of meant like fines and punishment. But the way you're describing accountability is actually kind of positive in a way. It's like, here's how we're going to be accountable to the people whose data we're holding and to the regulators who represent the people who pass these laws. Is that a good way of describing it?
02:07
Shannon Yavorsky
I think that's exactly right. It's about showing regulators and consumers how you've complied with the law. Again, like telling your narrative about how you've complied with data protection legislation and doing that through memorializing the steps that you've taken. Right. Setting out here's a data protection impact assessment. We thought there was a risk here. Here are the steps. We filled out a data protection impact assessment form. We figured out what the risks were and then we took steps to mitigate the risk. So that's just one example. But there are many ways that an organization can demonstrate that accountability principle, which frankly, in the legislation, there's not a lot of specificity around what accountability means. So it really is about memorializing the steps that you took to comply with the law and showing your data protection compliance narrative.
03:01
Adam Stofsky
So it lets different kinds of companies be accountable in different ways that are suitable to their business. Right. If you run a concert venue with tons of people being present and you're buying and selling stuff, versus if you run a completely remote software business, you can kind of manage privacy and still abide by the same rules, but in very different ways.
03:25
Shannon Yavorsky
Yeah, that's really fair to say. I think it really depends on the kind of business that you're operating and maybe your accountability. The steps that you take for accountability for a B to B company that's maybe in manufacturing are a whole lot different than the steps that a B to C company has to take with respect to their collection and processing and storage of a lot of consumer data. There's just a higher level of accountability associated with different kinds of businesses. So I think that's a great point.
03:58
Adam Stofsky
Okay, so let's talk about that harsher kind of accountability. What happens if a company does mess this up? What are they potentially on the hook for?
04:07
Shannon Yavorsky
That's a really good question. So the GDPR has this neat little article 83, that talks about the imposition of fines. And it really says that the regulator is bound to take under consideration the steps that you took to comply with the law. They'll also consider the nature, gravity of the offense, but they'll look at what you did. They'll look under the hood. They'll ask what are the steps that you took? Would it show us how you're accountable to this principle or how you're accountable to these laws and the steps that you took to comply? And that's going to go a long way with a regulator who's investigating or considering levying a fine. If you're able to show what you did and the steps to recognize the risk and the steps that you took to mitigate that risk.
05:00
Adam Stofsky
Is that same framework true under US. Law? Under US state laws, yeah, absolutely.
05:07
Shannon Yavorsky
So the regulators, both state attorneys general and now the California Privacy Protection Agency and the FTC, in the context of their investigations, they'll certainly take under consideration the steps that the company took to comply with the law. So accountability is even though it was really first enshrined in the GDPR and the general data protection regulation is kind of a global privacy principle. It's a good one to just ensure is embedded in your organization, that the extent to which you're building your privacy program. You're able to articulate the steps that you took to recognize the applicable laws and obligations and the steps that you took to comply policies, processes, procedures, maybe audits that you conduct on annual basis of your data processors, for example.
05:59
Shannon Yavorsky
All of those steps that you took are wrapped into that accountability principle, and the regulators both in Europe and the US. And globally will look favorably upon the steps that you took to comply with the law.
06:15
Adam Stofsky
Okay, I have one more question on this. Who does all this in a company and is the who does it part of accountability?
06:24
Shannon Yavorsky
So it really depends on the kind of company and the resources that they have. In larger companies, where there's a chief privacy officer or a privacy team, it'll be primarily that team maybe working with the data protection officer, working to build the privacy program and implement policies and procedures and operationalize policies and procedures. In smaller companies, where there's maybe just a general counsel and one other legal person. It'll be that legal team that's working to implement policies and procedures and sometimes where there's no general counsel and it might just be the founders and the CEO and the CFO we've certainly seen those folks as well be responsible for take the mantle of implementing relevant policies and procedures scaled and keyed to the level of the business's development.
07:20
Shannon Yavorsky
So as it gets more advanced, then they'll hire a GC or they get to a certain level and they need to take on board a chief privacy officer. It just becomes more advanced as the company grows.
07:35
Adam Stofsky
Great. All right. Thank you, Shannon.
07:37
Shannon Yavorsky
Thanks, Adam.