Developing a unique privacy framework
While the World Bank Groups holds immunity from the myriad of data privacy laws and regulations around the world, they are still committed to protecting the data of the individuals they support as well as their staff. To protect themselves from legal ramifications, the World Bank Group has developed their own independent data privacy framework that is not biased towards any regulation or directive.
The World Bank’s goals are to alleviate poverty and boost shared prosperity. Data Privacy helps ensure that the personal data of the communities they work in are safeguarded and protected. There are a variety of reasons the World Bank decided to implement a self-imposed data protection framework. Tami recalls a project in Kenya and India, “The data subjects gave up money or their time for privacy protections. We found that privacy concerns are not limited to any demographics."
The World Bank Group’s Data Privacy Framework is based on seven high-level principles that govern the use of personal data by the World Bank’s Governing Institutions. The framework applies to all personal data and all data subjects. These principles include:
- Legitimate, transparent, and fair processing
- Purpose limitation and data minimization
- Data accuracy
- Storage limitation
- Security
- Transfers to third-parties
- Accountability and data subject review
Building trust within the communities they serve
Many organizations are prioritizing trust as a key differentiator and the World Bank is championing these efforts. Privacy touches all aspects of life of the constituents they serve, and the communities they serve are particularly vulnerable. To fulfill their larger mission of building trust within the communities they serve is imperative.
When developing their Data Privacy Framework, Tami and her team understood how important it was to incorporate an external accountability mechanism. Since the World Bank has immunity from regional laws and regulations, this means that they would not have an assigned regulator. Data subjects can submit complaints to be evaluated and investigated based on a multi-tier approach which builds trust between the World Bank’s clients and stakeholders and ensures external accountability.
How does OneTrust support the World Bank’s privacy program?
The World Bank started their privacy program manually entering record processing activities into excel spreadsheets. Like many other organizations, they soon realized that this was not sustainable and sought out a privacy management solution. They released an extensive RFP (Request for Proposal), and after a thorough review the World Bank determined OneTrust to have the best software capability to build their novel privacy program.
The World Bank leverages several OneTrust modules to manage records of processing, privacy impact assessments, and data subject access requests. Through OneTrust, the World Bank’s team across the globe easily utilizes the platform to automate and complete privacy-related tasks.
Tami explained that to build privacy into the DNA of an organization privacy professionals should leverage a top-down approach and messaging is key. “We take a top-down approach to privacy with strong messaging and support from senior management. We also want to make sure our staff on the ground have the tools, that is where OneTrust comes in,” said Tami.
OneTrust supports the World Bank’s campaign to ingrain privacy into the DNA of their organization in two major ways. The first is by using the Privacy Impact Assessments (PIA). By leveraging OneTrust’s automated templates, the World Bank’s employees around the world can operationalize privacy by design principles into all aspects of their work easily. This is essential to help team members identify and guide the use of personal information across the organization. By leveraging a PIA, the organization can identify potential risks and establish procedures and systems to enable the privacy by design approach.
Tami explained that the World Bank’s staff on the ground uses PIAs and DPIAs for, “basic self-assessments, for surveys, and for technology. These segue into the DPIAs if there is a higher risk, and we want to take a deeper dive.”
OneTrust modules used by the World Bank Group:
- Data Mapping: Supports data controllers as they build and maintain an up-to-date mapping of their IT systems, business processes and third-parties, and the many-to-many relationships between.
- PIA/DPIA: Leverage OneTrust’s library of customizable assessment templates, built by in-house experts, or customize your own to fit specific organizational workflows.
- Data Subject Access Request (DSAR): Automate task assignments start to finish, from validating identities, record updating, collection, redaction, and deletion of data, through a secure two-way communication portal.
Looking ahead, the World Bank is working diligently with OneTrust’s implementation team to operationalize their Data Subject Access Request Portal that their staff and data subjects around the world will be able to utilize.