Accountability is the new hot topic in data protection. GDPR says that the controller shall be responsible for, and be able to demonstrate compliance with the Data Protection Principles in Article 5 and it adds the word “accountability” to the end of this statement.
The ICO website says accountability makes the organisation responsible for complying with GDPR and further, that they must be able to demonstrate their compliance. The ICO goes on to list out suggested compliance measures which are set out below (bold text) with our comments.
Suggested compliance measures
- adopting and implementing data protection policies; we suggest that to meet the Accountability principle these must be in writing. Which policies and procedures are required in addition to a Data Protection Policy will depend on the data processing activities undertaken by the organisation. Compliance team should plan to review these periodically.
- taking a ‘data protection by design and default’ approach; following the Data Protection Impact Assessment regime will highlight data protection compliance issues to address when making any changes to existing processes or embarking on a new project. Data Protection training for members of business development and IT teams will also help to embed good compliance at the planning and design stage.
- putting written contracts in place with organisations that process personal data on your behalf; a written Procurement policy with sample contract terms ensure that those involved in procuring services carry out due diligence on new and existing suppliers and put appropriate contract terms in place. Regular checks of contract terms of service providers will be needed if the organisation contracts on the suppliers standard terms and conditions. Often it is not possible to negotiate a specific contract and the service user relies on the standard terms published to the supplier’s website, for example Amazon Web Services. Those standard terms will be updated from time to time so at least an annual (documented) check of the required content is needed. Also make sure that you follow up any website links to set up specific, individual, addendum contracts to incorporate the data processor terms. This might involve downloading a DP agreement and signing a copy and even submitting the signed copy back to the service provider via an IT “Support Ticket”.
- maintaining documentation of your processing activities; This refers to the records required under Article 30. It would have been part of the work undertaken in the lead up to GDPR but these records need to be maintained, kept up to date. If they have not been reviewed since 2018 a review is now required. We also recommend that the DPIA process includes adding relevant details to the organisation’s Article 30 records as new projects go live and start data capture and as changes to processes that impact on data processing activities are made.
- implementing appropriate security measures; Carry out a review of security covering technical and organisational aspects. IT teams should be familiar with standard technical security including cyber security.
- recording and, where necessary, reporting personal data breaches; we also recommend “walking through” a data breach scenario to test out procedures and to foster a better understanding of the effects of a breach on the senior management team.
- carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests; we recommend that DPIAs are carried out for every change to existing processes and new projects. Until a risk assessment is carried out it can be difficult to perceive where the risk lies. A relatively innocuous change to activities can easily result in an organisation tipping over into the requirement for a designated DPO. Only if all aspects of the project or change are considered from the data protection angle will all the potential consequences be identified.
- appointing a data protection officer; even if data processing activities do not trigger the need for a DPO it is good practice to identify a point of reference for data protection queries (internal and external). In practice the legal trigger for appointing a DPO is not the only reason for designating a DPO. There can be pressure from large clients or it might simply be expected in particular sectors. Although in practice the role is generally seen as a poisoned chalice, there is little risk involved provided the DPO has the relevant skills and experience and carries out the tasks prescribed in GDPR in a way that can be evidenced. He or she needs also to evidence reports on the true state of data protection compliance at the organisation made to senior management.
- adhering to relevant codes of conduct and signing up to certification schemes.
It is possible to take out cyber and data breach insurance against the risk of data protection breaches and that is a sensible option in the current climate.
We offer a managed service for data protection compliance for our clients. We specialise in data protection so you don’t have to. We can carry out many checks on your behalf, manage your Compliance log, answer data protection queries and generally advise on GDPR. Ask us for a quote.