What is the Accountability principle in data protection law?
GDPR sets out the data protection principles in Article 5 and then specifies that the controller is both responsible for, and should be able to demonstrate compliance with, the principles.
The responsibility for compliance with the principles has always been with the controller but GDPR has taken it a step further by specifically requiring evidence of compliance.
Organisations are expected to put into place comprehensive but proportionate governance measures. Data protection should be appropriate in the circumstances of the processing and this is a standard theme throughout GDPR.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, they are likely to mean more policies and procedures for organisations and compliance checks to ensure that they are practical, effective and that colleagues know what they are, where they are and when to follow them.
How do we demonstrate Accountability?
1 Adopt written policies and procedures
There are standard policies and procedures that relate to personal data processing which the national supervisory authority would expect to see: an overarching Data Protection Policy, other policies and procedures to regulate data sharing, outsourcing data processing to third parties, data retention, handling the exercise of subject rights, using CCTV, making audio recordings of phone calls, using special category data, security of personal data and other operational policies and procedures to set down guidelines for how personal data is obtained, used and stored.
Promote the policies and procedures to colleagues, if they are not aware of them or do not understand how they apply to their work, they will not be followed.
Carry out regular reviews of policies and procedures and document the review and the findings. Activities change over time, colleagues find quicker ways of working, policies and procedures need to reflect current practice as well as current legal interpretation of issues.
2 Maintain records of the organisation’s personal data processing activities
These are required under Article 30 of GDPR and should include detail about: data subjects, categories of data, categories of special category data, the purposes of the processing, the sources of the data, the identity of any third parties the data is shared with, whether any data processing is outsourced to third parties, the data retention period, whether the data is subject to any automated decision making and whether the data is transferred to countries outside the EEA.
These records can only be created with direct input from the managers of those departments which process personal data and the exercise of creating the records and then reviewing them, provides an opportunity to question some of the underlying practices around data collection, use and retention. Reviews of the records need to be documented to meet the evidential aspect of Accountability.
3 Appoint a central contact for data protection queries
Some data processing activities require the appointment of a Data Protection Officer and the promotion of a central point of contact for queries about data protection will help focus awareness of data protection in colleagues. Use a different job title if a designated DPO is not required, Data Protection Adviser or Data Protection Coordinator.
Note that details of a designated Data Protection Officer need to be registered with the Information Commissioner’s Office on the organisation’s registration entry.
Give the DPO or DPA a page on the organisation’s intranet. Policies and procedures can be signposted from here. Also, many data protection queries come up time after time. Let the data protection contact collect the usual queries and present them as Q&A’s on the intranet.
4 Clearly defined roles and responsibilities
Although GDPR only defines the role of the Data Protection Officer, and some organisations do not even need one of those, a clear chain of command and authority on data protection is needed. The highest level of management should be seen to endorse the Data Protection Policy. The risk management process should expressly include data protection risks at all levels from identification of risk, through managing and avoiding the risk to reporting to the highest level of management. A central contact for reporting personal data breaches is essential to ensure that problems are picked up quickly and referred appropriately. Line Managers should be made specifically responsible for the personal data processed in their department. All colleagues carry some responsibility as there are criminal offences in data protection law in the UK, liability for unauthorised and unlawful obtaining and processing of personal data is the key one. These roles and responsibilities should be set out in the organisation’s Data Protection Policy as a minimum.
5 Carry out Data Protection risk assessments
GDPR calls these Data Protection Impact Assessments (“DPIAs”) and they are mandatory for new projects or changes to existing processes that present a high level of data protection risk to data subjects, their data or their rights. We have found in practice that it is useful to carry out a DPIA for any new project or change of existing processes because it encourages colleagues to consider the data protection implications of their work and how they will undertake their work in future. Applying the principles of data protection to a practical scenario is a good method of training colleagues and refreshing their understanding of data protection.
DPIAs must be documented. Completed ones can be added to the DPO/DPA intranet page to provide working examples for the future.
5 Data protection by design and data protection by default
GDPR promotes the principle of adopting technical solutions to data protection issues. The kind of measures recommended are:
Allowing individuals to monitor processing; and
Creating and improving security features on an ongoing basis.
Probably the key concept is that data protection must constantly respond to the developing challenges of the collection, use and storage of personal data. “Profiling” was a new and potentially threatening use of data a few years ago. Google analytics presents sophisticated opportunities to exploit customer data far beyond what we imagined profiling could do. IT security has morphed into cyber security as firewalls and virus protection gained strength so criminals started to target users as the weak link.
Email security is an ongoing issue for those who try to safeguard personal data. New developments mean that it is possible to use software to encrypt email even where the recipient does not have an encryption key. “Registered” style delivery services are now available.
Set up a working party to monitor developments and assess which ones might be useful to support operations involving personal data processing.
6 Do we need to carry out audits?
It depends on the risk presented to data subjects, their personal data and their rights by the personal data processing operations carried out by your organisation. The level of risk should inform whether audits are required and how frequently they are required.
As well as risk there are other circumstances that may inform the decision to undertake a data protection audit. Instructing an audit can be a good way to demonstrate to clients that the organisation is focused on compliance as part of its service offering. A good audit report can help to build trust. Also large and/or prestigious organisations should have a complete compliance audit plan of which data protection will necessarily be a part.
Issues identified in an audit report must be taken forward. Either comply with the recommendation or explain why it would be inappropriate, in writing. An audit report is always in writing and provides an audit trail of the weaknesses of the organisation’s data protection so it is vital that a written response is made in every case.
Accountability will look slightly different for every organisation but these key elements should be covered. Check internal compliance controls against this and every other checklist you can lay hands on. Our Toolkit contains information about GDPR to explain issues, help you plan for implementation and GDPR compliant template policies and procedures. The templates can be used to check for required content in your own policies and procedures or simply adopt them “as is” to make good any gaps in your cover.