This is a modified concept. The concept of ‘accountability’ has long underpinned existing data protection requirements. For the first time, however, under the GDPR ‘accountability’ is enshrined as an explicit and free-standing data protection principle.
What is the accountability principle?
The current EU Data Protection Directive does not explicitly set out an ‘accountability’ principle. However, it does impose some specific obligations that operate to further accountability, including the requirement to provide data subjects with information about how their personal data will be processed.
In contrast, the GDPR now requires that businesses take, on a wholesale basis, a proactive, systematic and answerable attitude towards data protection compliance.
Central to this approach are the concepts of 'privacy by design' and 'privacy by default' which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.
What accountability measures will be appropriate to address privacy risk will depend on the nature, scope, context and purposes of the relevant data processing as well as the gravity of any impact upon the rights and freedoms of individuals.
The accountability measures mandated under the GDPR include:
- Data subjects – Heightened requirements for information to be provided to data subjects at the point of collection including within privacy policies and notices.
- Internal records – While the obligation to register with a supervisory authority has been removed under the GDPR, organisations employing more than 250 people will in general have to retaincomprehensive internal records of data processing activities which are to be made available to supervisory authorities on request.
- Privacy Impact Assessments – Controllers are to ensure that a Privacy Impact Assessment has been carried out on any ‘high risk’ processing activities before they begin.
- Suppliers – Accountability stretches down the supply chain to vendors. Data processors must make available to controllers all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the controller.
- Data Processing Officers – Depending on the volume and kinds of processing of personal data carried out, businesses may be under an obligation to appoint a Data Protection Officer. This obligation will be covered in more detail in a subsequent briefing in this series.
What is the impact for organisations?
Business transformation takes time, budget and resource so businesses should be starting the steps described below as soon as possible.
Where businesses have not already designated budget and ownership for data protection compliance, these requirements could entail significant organisational spend.
What action is required?
- Obtain buy-in from senior figures within the business in order to be able to provide for the cultural and organisational changes required by GDPR.
- Assign ownership and budget for data protection compliance within your organisation.
- Ensure that a full compliance program is in place and that the program incorporates training and awareness-raising programs.
- Reporting lines will need to be considered as supervisory authorities will expect privacy and security to be a board-level matter where needed.
- Where such an exercise has not already been carried out, start work as soon as possible on a detailed data mapping exercise to determine what data is collected, how and why, where it is stored, who has access to it and what the legal justification is for processing it in the ways intended.
- Review your contracts with vendors to ensure that accountability measures (including obligations to contribute to processing records and audit rights) are provided for. If you are a supplier you will need to establish your business’s response to audit rights being presented by customers as a contractual requirement.
Ensure that you have clear documentation and recording procedures in place to prove that you meet the required standards. Implement measures to prepare and maintain records of your organisation’s processing activities.