Privacy Management Programme – what does one look like?

October 2021

The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s proposals to reform data laws.

In a nutshell, the Government is proposing to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP.

It’s argued in the consultation paper that the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance.

The idea is a new ‘risked-based accountability framework’ could be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities.

What is a Privacy Management Programme?

A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth.

Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default.

Core components of a Privacy Management Programme

There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like.

This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach.

  • Governance

Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks.

  • Assessments

Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments).

  • Record-keeping

Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with.

  • Policies

Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on.

  • Training and awareness

Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave.

  • Privacy rights

Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection.

  • Protecting personal information

Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach.

  • Data incident planning

Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements.

  • Monitoring and auditing

Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance.

What might change?

To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar.

So, the Government isn’t proposing we do away with all the hard work already done. It’s suggesting a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme.

For example, the Government is proposing to remove the following mandatory requirements:

  • Organisations with more than 250 employees needing to create and maintain a Record of Processing Activities, meeting a specified level of detail.
  • The requirement to conduct a Data Protection Impact Assessments for certain higher risk processing activities. (Again GDPR tells us what a DPIA must cover).
  • The requirement for some organisations to appoint a Data Protection Officer.

On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes.

On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).

The accountability obligations under GDPR are seen as a core way of making sure organisations are held responsible and  ‘accountable’ for what they do with personal data. Making them accountable for complying with legislation and compelling them to clearly demonstrate how they comply.

It could be argued it is already baked into GDPR and ICO guidance that effective policies, procedures and measures to protect data should be proportionate to the risks an organisation faces.

Nothing is decided yet, these are just proposals at the moment which are out for consultation, so we’ll have to wait and see what the future may or may not bring.