The General Data Protection Regulation (GDPR) sets out seven key principles. Arguably, the most important key principle is the accountability principle. There are two key elements to this principle:
- Firstly, data controllers are responsible for complying with the GDPR
- Secondly, data controllers must demonstrate their compliance
Article 5(2) of the GDPR says:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
The Information Commissioner’s Office describes accountability as “a real opportunity for you to show, and prove, how you respect people’s privacy. “ The ICO in this sentence is issuing a warning to data controllers. This is further advanced in the following sentence:
“Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action.”
The ICO expects that organisations will be able to demonstrate their compliance with the accountability principle by evidencing the steps they have taken to comply with it. This requires an organised approach and an understanding of what is required.
Compliance should be embedded and demonstrable across the organisation. The ICO would expect strong program controls and appropriate reporting structures and assessment and evaluation procedures.
There would be an expectation of a good level of understanding and awareness of data protection from all staff and a comprehensive bank of data protection policies and procedures. Also a record of what the organisation has done and why in terms of data protection.
Where a data controller processes special category data extra safeguards and risk assessments would be expected to show that the data controller is aware that such information if lost represents a high risk to the rights and freedoms of the data subjects.
Data Security Breach
If an organisation suffers a data security breach or a serious data protection problem the management should be able to show that data protection risks had been actively considered and that measures and safeguards had been put into place. If this could be viewed within the context of a privacy management framework and good staff training enforcement action could be avoided. Conversely if something has gone wrong and an organisation is not able to show good data protection practices enforcement action is much more likely.
Policies and Procedures
The ICO is always keen that data controllers have written data protection policies and procedures which are actively maintained. The ICO has produced a checklist which data controllers should take into account when reviewing their management of data protection risks. The main points of the checklist are as follows:
- We take responsibility for complying with the UK GDPR at the highest management level.
- We keep evidence of the steps we have taken to comply with the UK GDPR.
- We put in place appropriate technical and organisational measures.
- We take a data protection by design and default approach.
- We put written contracts in place with organisations that process personal data on our behalf.
- We maintain a documented record of our processing.
- We record and where necessary report personal data breaches.
- We carry out data protection impact assessments where appropriate.
- We have appointed a data protection officer ( where necessary).
- We adhere to relevant codes of conduct.
- We review and update our measures at appropriate intervals.
Data controllers should visit the recommendations in the checklist on a regular basis. It should also form part of an organisation’s data protection training.