GDPR – Accountability principle
The GDPR introduces a new principle called accountability. This is in line with a global trend to make accountability a legal obligation.
What does it mean?
The accountability principle makes the data controller responsible for ensuring that the six data protection principles of the GDPR are adhered to.
However, it’s not enough for an organisation to merely comply with the GDPR’s data protection principles. The organisation must also be able to demonstrate that it complies.
The specific processes that demonstrate compliance vary widely. It depends entirely on the complexity of personal data processing that occurs.
The level of accountability that a one-person business would usually be held to, is very different from that of a large multinational organisation.
Typical processes that an organisation might undertake include
- Assessing current data privacy practices. Ensuring that there’s a data governance structure in place and possibly, depending on the size and nature of the organisation, appointing a Data Protection Officer, known as a DPO.
- They’ll probably need to create a personal data inventory, to consider all of the personal data held.
- They’ll almost certainly have to implement and/or update privacy notices.
- The organisation will need to ensure that there’s proper processes and procedures in place for obtaining specific consents from the data subjects.
- And, they’ll have to ensure that they adopt appropriate organisational and technical measures to comply with all six data protection principles.
- Some organisations will need to conduct a Privacy Impact Assessment.
- And organisations of virtually any size ought to develop a personal data breach reporting mechanism.
Unfortunately, the GDPR text offers little guidance on the measures that data controllers need to take to meet their accountability obligations.
The ICO has expanded a little bit on this. There is some accountability and governance guidance advice on demonstrating compliance.
An organisation should implement appropriate technical and organisational measures to ensure that they can demonstrate compliance.
This includes policies regarding staff training in data protection. Doing a course like this, demonstrates that staff are trained in GDPR awareness and its key obligations.
Conducting an internal processing audit. Ensuring there are HR policy reviews.
Organisations also need to maintain relevant documentation on their personal data processing activities.
Further advice includes, where appropriate, appointing a data protection officer. Ensuring that data protection measures are ‘by design’ and ‘by default’ and, for many organisations, conducting Data Protection Impact Assessments.
Some organisations, may enlist the help of certification bodies or adopt approved codes of conduct. This is usually for companies in a particular industrial sector.
Organisations need to prepare for dealing with subject access requests, known as SARs, from individuals exercising their rights under the GDPR. They also need to be in a position to respond to requests and deal with investigations driven by the ICO.
This is a preview lecture from our online course ‘GDPR In a nutshell’. For the full course please visit https://www.udemy.com/gdpr-in-a-nutshell/
Questions about this course?
Start a conversation today.
Email David Chapman firstname.lastname@example.org