To celebrate international Data Privacy Day 2021 (28 January 2021), the Birketts Data Protection Team has produced a series of data protection top tips articles. This bite-sized advice series is designed to provide you with some easily digestible compliance tips, focusing on some of the key issues we see clients dealing with on a daily basis. Today we are focusing on accountability. Claire Hunt shares her data protection top tips…
- ICO Fee: Controllers need to pay a data protection fee to the Information Commissioner’s Office (ICO) (previously the requirement was to register with the ICO). To see how much you are required to pay, use the ICO assessment tool.
- Article 30 Records: Article 30 UK General Data Protection Regulation (UK GDPR) lists the information that (i) Controllers and (ii) Processors are required to record in writing (electronically is fine). The ICO can request to see these records, so it is important that you have them and that they are up to date.
- DPIA: You must complete a data protection impact assessment (DPIA) if the processing activity you are carrying out is likely to result in a high risk to the rights and freedoms of individuals (i.e. significant physical, material or non-material harm). DPIA’s should be done before the relevant processing starts and kept under review while it continues.
- Breach Records: All personal data breaches must be recorded – even if they are not reported to the ICO. The record must contain (a) facts around the breach, (b) effects of the breach, and (c) remedial action taken.
- Policies: The accountability requirement means that the controller is responsible for and must be able to demonstrate its compliance with the 6 core data protection principles set out in Article 5(1) UK GDPR. In summary these are that personal data is:
- processed in a lawful, fair and transparent manner (lawfulness, fairness and transparency)
- collected for specified, explicit and legitimate purposes and not further processed in a way that is inconsistent with such purposes (purpose limitation)
- adequate, relevant and limited to what is necessary for the purposes it is processed (data minimisation)
- accurate and kept up to date (accuracy)
- kept in a form which permits the data subject to be identified for no longer than is necessary (storage limitation)
- processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
Documentation wise, one of the key ways to demonstrate your accountability compliance is through your business’ policies (both internally and externally facing), which you would be able to provide to the ICO if and when requested.