GDPR Accountability Principle: A Data Controller's Obligation
Accountability is not a new concept in data protection, but whereas the principle of accountability was implicit in the Data Protection Act 1998, the General Data Protection Regulation explicitly enshrines accountability as an obligation for controllers, meaning that firms will need to take responsibility and prove that they are compliant.
Articles 5 and 24 of the GDPR require that controllers be able to demonstrate compliance; Article 5 specifically defines ‘accountability’ as being responsible for, and being able to demonstrate compliance with the requirements of the Regulation.
As a reminder, in short, the Regulation requires that personal data be:
Processed lawfully, fairly and transparently
Collected for specified and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate, and where necessary, kept up to date
Kept in a form which allows identification of individuals for no longer than is necessary
Processed in a manner that ensures appropriate security of personal data
Accountability goes hand-in-hand with the expectation that firms implement certain appropriate technical and organisational measures to ensure they meet the requirements.
This means that the firm’s governing body works to ensure a good data protection culture from top down. Responsibility for this should start with the highest management level and be communicated effectively throughout the firm to staff at all levels, so that staff understand the principles and have a sufficient knowledge of the requirements of the Regulation to inform the work they do and ensure that accountability is enshrined throughout.
There are a number of key steps all firms can take to embed accountability.
Be proactive – Proactive approaches, with the principles of data protection in mind from the outset, help to make sure that the risks to individuals and obligations of the firm are fully considered. All firms should have updated their approaches to data protection at implementation in May last year, but accountability means that these exercises should be ongoing and require review and updating where necessary.
Implement Governance Structure – Good data protection culture should be evident from the top down, and implementing governance structures or frameworks can help to drive compliance. This should ideally set out specific responsibilities and reporting lines, and make clear what activities need to be performed, when and by whom. Smaller firms, particularly those without Data Protection Officers, will benefit from the implementation of a proportionate Structure that sets out who has responsibility for particular tasks and enshrines the importance of a good level of understanding of data protection amongst staff.
Policy and Procedure – firms of all sizes should scrutinise their current procedures to make sure they’re in line with GDPR, if this hasn’t already been done. Where necessary, new policies and procedures should be implemented if required; this is particularly relevant if some aspects of the GDPR are unfamiliar or make obligatory something that was implicit in the 1998 Act. Firms should consider whether new policies and procedures are required for Data Protection Impact Assessments, and recording personal data breaches, for example.
Record-keeping audit – Firms should review how records are kept, and whether current policy and procedure are in line with GDPR. Ensure that comprehensive and compliant records are kept, not only concerning data subjects and personal data breaches, but also where the firm considers options and takes decisions.
Training – firms of all sizes should ensure that all staff have a good understanding of data protection, of the obligations of the GDPR and what data protection means for their role and for the firm. Training and testing of staff is a vital element of accountability. Firms need to show that they have implemented and adhered to their data protection policies and procedures, and training and testing provides key evidence.
Technical and Organisational Measures – The GDPR requires that firms take ‘appropriate technical and organisational measures’. These measures aren’t defined by the GDPR, instead, firms should consider what measures are appropriate based on the type and size of the firm, the work that they do, and the severity of the risks to individuals. In short, this means the higher the risk to the rights and freedoms of individuals the stronger the security measures have to be. Article 32 sets out potential measures including:
Pseudonymisation and encryption of personal data
Ability to ensure confidentiality, integrity, availability and resilience of processing systems and services
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Security measures should be implemented if firms are handling any type of personal data, but where higher risks are involved, more and stronger measures should be considered. These measures should be decided upon by the Governing Body, with reference to expert advice if necessary, with the decisions taken documented.
A major element of the principle of accountability is being able to demonstrate that accountability.
Evidence – Firms should be able to show that they have taken their responsibilities under the Regulation seriously, and have fully and appropriately considered the risks to subjects’ data, and attempted to mitigate those risks. If firms cannot evidence that they have taken their responsibilities seriously – even where steps have been taken, but are not evidenced through a lack of recording, for example – this could leave firms open to action and reputational damage. Whilst this may seem onerous, being able to evidence compliance could help to mitigate action taken by the supervisory authority in the event of a breach. In itself, the requirement to evidence may mean the implementation of a supporting procedure for decision recording and document retention.
Compliance with the GDPR starts with the Governing Board and permeates throughout the firm. Robust training is key to ensuring that all staff know what the GDPR means for the firm and for their roles. Our upcoming training package will be available for purchase through our website and provides in-depth training on the General Data Protection Regulation, supported by a number of activities to help embed the information, and can be adjusted to suit firm requirements.