NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORK™

LEGEND: Activities mapped to GDPR to demonstrate compliance A Practical and Operational Structure for Complying with the World’s Privacy Requirements - Mapped to GDPR

Maintain Governance Structure Maintain Training and Awareness Program Respond to Requests and Complaints from Individuals
1 Ensure that there are individuals responsible for data privacy, accountable
management, and management reporting procedures 5 Provide ongoing training and awareness to promote compliance with the data
privacy policy and to mitigate operational risks 9 Maintain effective procedures for interactions with individuals about their
personal data

PRIVACY MANAGEMENT ACTIVITIES PRIVACY MANAGEMENT ACTIVITIES PRIVACY MANAGEMENT ACTIVITIES

• Assign responsibility for data privacy to an individual (e.g. Privacy
Officer, General Counsel, CPO, CISO, EU Representative)
• Engage senior management in data privacy (e.g. at the Board of
Directors, Executive Committee)
• Appoint a Data Protection Officer (DPO) in an independent
oversight role
• Assign responsibility for data privacy throughout the organization
(e.g. Privacy Network)
• Maintain roles and responsibilities for individuals responsible for
data privacy (e.g. job descriptions)
• Conduct regular communication between the privacy office, privacy
network and others responsible/accountable for data privacy
Maintain Personal Data Inventory and Data Transfer Mechanisms
2 Maintain an inventory of the location of key personal data storage or personal
data flows, including cross-border, with defined classes of personal data
PRIVACY MANAGEMENT ACTIVITIES
• Maintain an inventory of personal data and/or processing activities •
• Classify personal data by type (e.g. sensitive, confidential, public) •
• Obtain regulator approval for data processing (where prior approval
is required) • Use APEC Cross Border Privacy Rules as a data transfer
• Register databases with regulators (where registration is required)
• Engage stakeholders throughout the organization on data
privacy matters (e.g. information security, marketing, etc.)
• Report to internal stakeholders on the status of privacy
management (e.g. board of directors, management)
• Report to external stakeholders on the status of privacy
management (e.g. regulators, third-parties, clients)
• Conduct an Enterprise Privacy Risk Assessment
• Integrate data privacy into business risk assessments/reporting
• Maintain a Privacy Strategy
• Maintain a privacy program charter/mission statement
• Require employees to acknowledge and agree to adhere to
the data privacy policies
Use Binding Corporate Rules as a data transfer mechanism
Use contracts as a data transfer mechanism (e.g. Standard
Contractual Clauses)
mechanism
• Conduct privacy training
• Conduct privacy training reflecting job specific content
• Conduct regular refresher training
• Incorporate data privacy into operational training (e.g. HR,
marketing, call centre)
• Deliver training/awareness in response to timely issues/topics
• Deliver a privacy newsletter, or incorporate privacy into existing
corporate communications
• Provide a repository of privacy information (e.g. an internal data
privacy intranet)
Manage Information Security Risk
6 Maintain an information security program based on legal requirements and
ongoing risk assessments
PRIVACY MANAGEMENT ACTIVITIES
• Integrate data privacy risk into security risk assessments
• Integrate data privacy into an information security policy
• Maintain technical security measures (e.g. intrusion detection,
firewalls, monitoring)
• Maintain measures to encrypt personal data
• Maintain privacy awareness material (e.g. posters and videos)
• Conduct privacy awareness events (e.g. an annual data privacy
day/week)
• Measure participation in data privacy training activities
(e.g. number of participants, scoring)
• Enforce the requirement to complete privacy training
• Provide ongoing education and training for the Privacy Office
and/or DPOs
• Maintain qualifications for individuals responsible for data
privacy, including certifications
• Integrate data privacy into a corporate security policy (protection
of physical premises and hard assets)
• Maintain human resource security measures (e.g. pre-screening,
performance appraisals)
• Integrate data privacy into business continuity plans
• Maintain procedures to address complaints • Maintain procedures to respond to requests for data portability
• Maintain procedures to respond to requests for access to • Maintain procedures to respond to requests to be forgotten or
personal data for erasure of data
• Maintain procedures to respond to requests and/or provide a • Maintain Frequently Asked Questions to respond to queries
mechanism for individuals to update or correct their personal data from individuals
• Maintain procedures to respond to requests to opt-out of, restrict • Investigate root causes of data privacy complaints
or object to processing • Monitor and report metrics for data privacy complaints
• Maintain procedures to respond to requests for information (e.g. number, root cause)
Monitor for New Operational Practices
10 Monitor organizational practices to identify new processes or material changes to
existing processes and ensure the implementation of Privacy by Design principles
PRIVACY MANAGEMENT ACTIVITIES
• Integrate Privacy by Design into data processing operations • Track and address data protection issues identified during
• Maintain PIA/DPIA guidelines and templates PIAs/DPIAs
• Conduct PIAs/DPIAs for new programs, systems, processes • Report PIA/DPIA analysis and results to regulators (where
• Conduct PIAs or DPIAs for changes to existing programs, required) and external stakeholders (if appropriate)
systems, or processes
• Engage external stakeholders (e.g., individuals, privacy
advocates) as part of the PIA/DPIA process

• Maintain documentation of data flows (e.g. between systems,
between processes, between countries)
• Maintain documentation of the transfer mechanism used for
cross-border data flows (e.g., model clauses, BCRs, regulator
approvals)
Maintain Internal Data Privacy Policy
3 Maintain a data privacy policy that meets legal requirements and addresses
operational risk and risk of harm to individuals
PRIVACY MANAGEMENT ACTIVITIES
• Maintain a data privacy policy
• Maintain an employee data privacy policy
• Maintain an organizational code of conduct that includes privacy
Embed Data Privacy Into Operations
• Use Privacy Shield as a data transfer mechanism
• Use regulator approval as a data transfer mechanism
• Use adequacy or one of the derogations (e.g. consent,
performance of a contract, public interest) as a data transfer
mechanism
• Document legal basis for processing personal data
• Integrate ethics into data processing (Codes of Conduct,
policies and other measures)
• Maintain an acceptable use of information resources policy
• Maintain procedures to restrict access to personal data
(e.g. role-based access, segregation of duties)
Manage Third-Party Risk
7 Maintain contracts and agreements with third-parties and affiliates consistent
with the data privacy policy, legal requirements, and operational risk tolerance
PRIVACY MANAGEMENT ACTIVITIES
• Maintain data privacy requirements for third parties (e.g. clients,
vendors, processors, affiliates)
• Maintain procedures to execute contracts or agreements with
all processors
• Conduct due diligence around the data privacy and security
11
• Maintain a data-loss prevention strategy Maintain Data Privacy Breach Management Program
• Conduct regular testing of data security posture Maintain an effective data privacy incident and breach management program
• Maintain a security certification (e.g. ISO)
PRIVACY MANAGEMENT ACTIVITIES
• Maintain a data privacy incident/breach response plan
• Maintain a breach notification (to affected individuals) and
reporting (to regulators, credit agencies, law enforcement) protocol
•
•
•
Conduct periodic testing of data privacy incident/breach plan
Engage a breach response remediation provider
Engage a forensic investigation team
• Maintain a log to track data privacy incidents/breaches • Obtain data privacy breach insurance coverage
• Monitor and report data privacy incident/breach metrics
(e.g. nature of breach, risk, root cause)
• Maintain a policy governing use of cloud providers
Monitor Data Handling Practices
12
• Maintain procedures to address instances of non-compliance
with contracts and agreements Verify operational practices comply with the data privacy policy and operational
• Conduct due diligence around the data privacy and policies and procedures, and measure and report on their effectiveness
security posture of existing vendors/processors

4 Maintain operational policies and procedures consistent with the data privacy
policy, legal requirements, and operational risk management objectives
posture of potential vendors/processors
• Conduct due diligence on third party data sources
• Maintain a vendor data privacy risk assessment process
• Review long-term contracts for new or evolving data privacy risks
PRIVACY MANAGEMENT ACTIVITIES
• Conduct self-assessments of privacy management • Engage a third party to conduct audits/assessments
• Conduct Internal Audits of the privacy program (i.e. operational • Monitor and report privacy management metrics
PRIVACY MANAGEMENT ACTIVITIES audit of the Privacy Office) • Maintain documentation as evidence to demonstrate compliance
Maintain Notices • Conduct ad-hoc walk-throughs and/or accountability

• Maintain policies/procedures for collection and use of sensitive
personal data (including biometric data)
• Maintain policies/procedures for collection and use of children
and minors’ personal data
8
• Integrate data privacy into hiring practices
Maintain notices to individuals consistent with the data privacy policy, legal • Conduct ad-hoc assessments based on external events, such • Maintain certifications, accreditations or data protection seals for
• Integrate data privacy into the organization’s use of social media
as complaints/breaches demonstrating compliance to regulators
• Integrate data privacy into Bring Your Own Device (BYOD) requirements, and operational risk tolerance
policies/procedures

• Maintain policies/procedures for maintaining data quality
• Maintain policies/procedures for the de-identification of
personal data
• Maintain policies/procedures to review processing conducted
wholly or partially by automated means
• Maintain policies/procedures for secondary uses of personal data
• Maintain policies/procedures for obtaining valid consent
• Maintain policies/procedures for secure destruction of personal data
• Integrate data privacy into use of cookies and tracking mechanisms •
• Integrate data privacy into records retention practices
• Integrate data privacy into direct marketing practices
• Integrate data privacy into e-mail marketing practices
• Integrate data privacy into telemarketing practices
• Integrate data privacy into digital advertising practices (e.g. online,
mobile)
13
• Integrate data privacy into health & safety practices Track External Criteria
• Integrate data privacy into interactions with works councils PRIVACY MANAGEMENT ACTIVITIES Track new compliance requirements, expectations, and best practices
• Integrate data privacy into practices for monitoring employees
• Integrate data privacy into use of CCTV/video surveillance • Maintain a data privacy notice • Provide notice in contracts and terms
• Integrate data privacy into use of geo-location (tracking and or • Provide data privacy notice at all points where personal data • Maintain scripts for use by employees to explain or provide the
location) devices is collected data privacy notice
• Integrate data privacy into policies/procedures regarding access
PRIVACY MANAGEMENT ACTIVITIES
• Provide notice by means of on-location signage, posters • Maintain a privacy Seal or Trustmark on the website to
to employees' company e-mail accounts • Provide notice in marketing communications (e.g. emails, increase customer trust • Identify ongoing privacy compliance requirements e.g., law, • Seek legal opinions regarding recent developments in law
Integrate data privacy into e-discovery practices flyers, offers) case law, codes, etc. • Identify and manage conflicts in law
• Integrate data privacy into conducting internal investigations • Maintain subscriptions to compliance reporting service/law firm • Document decisions around new requirements, including their
• Integrate data privacy into practices for disclosure to and for law updates to stay informed of new developments implementation or any rationale behind decisions not to
enforcement purposes • Attend/participate in privacy conferences, industry association, implement changes
• Integrate data privacy into research practices (e.g. scientific and or think-tank events
historical research) • Record/report on the tracking of new laws, regulations,
amendments or other rule sources

The Nymity Privacy Management Accountability Framework(™) was developed based on Nymity’s global research on data privacy accountability.
The Framework is a comprehensive listing of over 130 Privacy Management Activities (PMAs) categorized into 13 Privacy Management Categories (PMCs).
UPDATED JANUARY 2019 Copyright © 2018 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated.
Reproduction, modification, transmission, use, or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc. Requests may be sent to [email protected].