Guidance from the Information Commissioner’s Office says:
“The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
You must have appropriate measures and records in place to be able to demonstrate your compliance.”
What measures will help to establish Accountability?
A record of past compliance activity is a good start to any compliance framework. Documentation is important. There is a compliance saying: “If it is not documented, it does not exist”. That is the line that will be taken by the ICO. If you do not have a record of meetings, policy decisions, policies and procedures, training activity, then you cannot prove that they ever took place, let alone what the outcomes were.
Understanding what compliance activity will be required in future is the next logical extension to your compliance framework. The point about Accountability is that it is an ongoing commitment to compliance so there needs to be a plan for future compliance activity appropriate to the organisation, its data processing activities and the risk that these present to data subjects. Think about the cycle of continuous improvement. When will policies and procedures be reviewed? When will the GDPR implementation files from 2018 be revisited to check that all relevant aspects have been picked up and actioned? When will Article 30 records be reviewed to update and amend them?
There will be changes in data protection law and interpretation which need to be identified and actioned. Changes could impact on data processing operations, training material and policies and procedures. You might consider subscribing to legal newsletters and the newsletter on the Information Commissioner’s website for insights into how data protection is being policed which will then influence culture and policies and procedures.
And it is not only the law and interpretation that changes over time. There will be changes in your organisation, its culture, its activities that also need to be accounted for in your data protection compliance framework. GDPR specifies the records of data processing that should be maintained. This is another key piece of the compliance framework. The Information Commissioner has said that unless you know what data is being processed, you can’t be sure that your operation is compliant.
Carrying out and documenting Data Protection Impact Assessments will help to evidence that account is being taken of changes in the organisation and its operations. Changes should also feed into the records of data processing, keeping them up to date, another point to demonstrate controls to manage compliance.
The DPO role
Having a central point of contact for data protection compliance is another part of the compliance framework.
The designated Data Protection Officer is a statutory role under GDPR. Not all organisations need to designate a DPO and it can be done as a voluntary appointment. The ICO recommends that organisations appoint a DPO as a central point of contact on data protection issues. While we agree that a central point of contact is a positive control, we do not recommend that the title “DPO” is used as it brings all the statutory requirements in GDPR into effect. Use another job title, “Data Protection Adviser” or “Data Protection Coordinator”.
Summary – the compliance framework
To establish Accountability we suggest:
- Record your compliance activity
- Plan your future compliance activity, using your risk assessments:
- Decide when to review policies and procedures
- Decide when to review your data processing records to pick up changes in the organisation and its operations
- Carry out DPIA risk assessments for new projects or changes to existing processes
- Appoint an individual or a team to act as a central contact for data protection issues
- Make sure that the individual or team has tactics to keep themselves up to date with developments in data protection law and interpretation
Accountability means that GDPR was not just for 25 May 2018. It is an ongoing commitment to data protection compliance. Bearing this in mind, make sure that someone in your organisation is regularly revisiting the compliance framework described above.
The DP-Smart Toolkit includes Action Sheets for each topic setting out what action is required and providing a record of actions taken in relation to a specific topic, even if the only record is “This section does not apply to us” with initials, the date and future review date, that is evidence that the issue was considered. It also includes GDPR compliant templates of policies, procedures, staff training material and contracts, key aspects of a data protection compliance framework.