Article 5(2) of the GDPR states that the data controller is responsible for ensuring and demonstrating that an organisation meets the accountability principle. In this article, Charlotte Bolt looks at why the accountability principle is so important, and how you can ensure you meet it.
How does the principle affect your organisation?
Transformation takes time, money, and a determination to make a change. Buy-in from senior figures is essential to make cultural, and organisational, changes required by GDPR, and therefore lead by example.
Often businesses view data protection compliance as an expense, whereas it should be viewed as a way to save money in the long-term. Many organisations forget they can be faced with hefty fines for things that could have been easily prevented. Fines can be as high as €20 million, or 4% of the worldwide annual revenue, whichever is higher, for infringements of the GDPR principles.
You should also be able to, at any moment, demonstrate compliance to regulators when requested.
The importance of Accountability
Article 5(2) of the GDPR provides that the “controller shall be responsible for and demonstrate compliance with paragraph 1 (‘accountability’).” The ICO published the accountability framework towards the end of last year, to help organisations meet the accountability principle set out in Article 5(2). The guidance makes it clear it is the responsibility of the controller to demonstrate compliance with the legislation.
The framework is split into ten sections:
- Leadership and oversight
- Policies and procedures
- Training and awareness
- Individuals’ rights
- Records of processing and lawful basis
- Contracts and data sharing
- Risks and data protection impact assessments (DPIAs)
- Records management and security
- Breach response
What do you need to do?
Meeting the accountability principle is about taking a proactive approach towards data protection, this is the concept of data protection by design, as opposed to data protection by default (Article 25 and Recital 78 GDPR). Larger organisations are likely to have a data protection framework, but from our perspective here at DPAS, many organisations are lacking awareness at management level, due to gaps in basic knowledge and understanding.
The ICO sets out that leadership is a ‘fundamental building block’, and the GDPR is very insistent on the fact that everyone needs to take ownership, and responsibility, of their handling of personal data. At DPAS we have found the most effective way to address cross-organisational knowledge gaps is through training.
(Our next upcoming course on meeting the Accountability Principle is in November, with another session in March.)
Key Action Points
- Maintain and update your record of processing activities (ROPA) – Article 30 GDPR
- Be proactive and organised
- Using a data protection management framework
- Commit to a culture of commitment to data protection
- Implementing policies – Article 24(2) and Recital 78 GDPR
- Documenting decisions and actions – Article 7, 30 and 33(5) plus Recitals 42 and 82 GDPR
- Implementing appropriate security measures – Article 24(1), Article 32, and Recitals 39 and 83 GDPR
- Data protection impact assessments – Article 35-36, and Recitals 84 and 89-95 GDPR
- Consider whether you need to appoint a DPO – Article 37-39 and Recital 97 GDPR?
- Adhering to relevant codes of practice – Article 40-43 and Recitals 98 and 100 GDPR
- Reviewing and updating measures
- Maintain a record of data breaches
The ICO has provided the accountability tracker, which will help your organisation establish where it is on its journey to data protection compliance.
Do you need any agreements or contracts in place?
Wherever there is a controller and processor relationship, a written contract needs to be in place. Having the correct contracts and agreements in place is essential in demonstrating compliance and accountability (Article 28 and Recital 81 GDPR).
As such, please consider the following points below:
- Do you have a data sharing and processing agreement log?
- Do you have a review procedure in place and conduct due diligence checks?
- Are you able to identify international transfers and what provisions needs to be in place?
- Do the agreements and/or contracts address all the provisions set out in Article 28 of the GDPR?
- Is it personal data that is the subject of the transfers, and therefore, does the GDPR apply?
- Is the data anonymised, pseudonymised or minimised?
- Are you assessing the need for a DPIA?
If you would like any further advice or explanation on what has been discussed, then please do reach out to us at DPAS.