Privacy Roles, Responsibilities and Accountability Policy

The Privacy Roles, Responsibilities and Accountability Policy defines how the organization assigns, documents, communicates, reviews, and improves responsibilities within its Privacy Information Management System. Its scope covers personnel, functions, systems, suppliers, processors, subprocessors, and joint controller relationships that participate in or influence PII processing within the PIMS scope. The policy applies across controller, joint controller, processor, and subprocessor contexts, making it relevant to the full set of privacy operating models described in the document. It also makes clear that it does not create new organizational job titles; instead, it defines canonical PIMS roles that can be assigned to existing personnel or functions when the required assignment, competence, independence, and conflict-of-interest requirements are documented. The policy establishes a structured PIMS role model and evidence-based accountability approach. Top Management must approve the canonical role model in REG01 before initial implementation and annually thereafter. The Privacy Lead / PIMS Manager maintains named role assignments, responsibility scopes, and authority levels in REG01, including updates following personnel or organizational changes. Processing ownership is tied to REG02, where Process Owners / Business Owners assign accountable owners for each PII processing activity before processing begins and System Owners / Application Owners document accountable system owners before go-live. Supplier, processor, subprocessor, third-party data sharing, and joint controller relationship ownership is recorded in REG08 before onboarding or agreement approval. A central part of the policy is the management of role combinations, segregation, and independence. The policy permits practical role combination, including for small and medium-sized organizations, but requires documentation before combinations take effect. Role combinations involving the Privacy Lead / PIMS Manager, Data Protection Officer / Privacy Advisor, Information Security Lead, Incident Response Coordinator, or Internal Audit / Compliance Reviewer require Top Management approval in REG01. The Internal Audit / Compliance Reviewer must document independence from the PIMS process being reviewed in REG12 before each audit or compliance review. Where segregation conflicts cannot be avoided, compensating controls must be recorded, and the Data Protection Officer / Privacy Advisor must record independence or conflict-of-interest concerns within five business days of identification. The policy also defines accountability across controller, joint controller, processor, and subprocessor responsibilities. Controller processing requires recorded responsibility ownership, purpose ownership, and evidence ownership in REG02 before processing begins. Joint controller responsibility allocation, processor customer instruction ownership, subprocessor oversight ownership, approval status, and third-party responsibility escalation paths are managed through REG08. The Privacy Lead / PIMS Manager verifies role classification records in REG02 and REG08 quarterly and within 15 business days of material change. The policy further requires privacy advice, PII security responsibility input, breach and privacy incident escalation responsibility, unresolved responsibility disputes, and role-related escalations to be documented in defined evidence objects. Governance, measurement, exceptions, enforcement, and maintenance are built into the accountability model. Top Management reviews completeness, unfilled roles, role conflicts, accountability exceptions, and metrics during management review. The Privacy Lead / PIMS Manager performs quarterly accountability reviews, tracks unfilled and combined roles, reports role awareness completion, manages exceptions with defined expiry limits, and records missing, inaccurate, or outdated assignments as nonconformities. Process Owners / Business Owners must prevent go-live of new or changed PII processing where required role and accountability evidence is absent. Internal Audit / Compliance Reviewers test role evidence, report findings, and verify corrective action effectiveness. The policy itself must be reviewed annually and within 30 days of material change to the PIMS role model.