The GDPR has introduced a new accountability principle: the data controller “shall be responsible for, and be able to demonstrate compliance, with” each of the six principles of the GDPR. For a principle summarised in 10 words, there is a significant amount of work required by organisations to ensure accountability. And there may be significant consequences if this work is not undertaken.
In the event of a data protection breach, the Information Commissioners Office (‘ICO’) may request (or potentially compel) evidence of an organisation’s compliance with each of the six principles of the GDPR. In practice, this will mean demonstrating that every aspect of an organisation’s data processing is undertaken in a fair, lawful and transparent way, that data is only kept for as long as necessary and remains secure at all stages of the processing. Even if an organisation complies in every other respect with the principles, if it is not adequately able to demonstrate this compliance, it will be in breach of the GDPR.
There are three ways in which an organisation can ensure compliance with the principle of accountability:
1. Make someone responsible for data protection
Data protection must be a priority for the highest level of any organisation, whether this is a partnership of two or the board of a large company. Whether or not the GDPR requires the appointment of a data protection officer (see our earlier blog), it is important to ensure that there is a clear line of responsibility and accountability for the data handling practices of the organisation which leads to directly to the senior leadership within the organisation.
2. Integrate data protection into your organisation
Data protection is not a ‘bolt on’ on to your organisation’s operations. Any new aspect of an organisation’s activities should be developed from the offset with data protection in mind. The GDPR created concepts of ‘privacy by design’ and ‘privacy by default’, meaning organisations must consider data processing throughout the lifecycle of processing that data. The GDPR suggests that measures that may be appropriate to ensure privacy by design and default could include streamlining the data collected, applying pseudonymisation techniques and integrating measures to avoid security breaches.
3. Keep contemporaneous records
In the event of a breach of the principles, the ICO may want to see contemporaneous records. If such documents are not provided voluntarily, these can be compelled by service of an information notice or the ICO is able to undertake a compulsory audit of an organisation. It will not be sufficient to create post-hoc records for these purposes, rather it is essential that companies keep a complete set of “live” records. This will include both internal documents (such as policies and registers) and external documents (such as privacy notices). The failure to provide these documents will be a breach of the accountability principle of the GDPR, potentially leading to ICO regulatory action.
Article 30 of the GDPR requires data controllers to maintain a “record of processing activities” which includes the following information:
- Description of categories of data subjects and personal data;
- Purpose of processing;
- Categories of recipients of personal data, including recipients in third countries;
- Transfers of personal data to a third country or international organisations;
- Envisaged time limits for erasure of different categories of data; and
- Description of technical and organisational security measures to ensure security of personal data.
In addition, the ICO recommends that the following information should be included in the Article 30 record of processing:
- The source and location of each category of data;
- The lawful bases of processing of processing each category of personal data including, where relied upon, the legitimate interest in processing that data; and
- Where consent is relied upon, evidence of how and when that consent was obtained.
Finally, the following documents should also be created and maintained:
- Documents prepared to fulfil transparency obligations to data subjects, such as privacy notices for website, clients and staff;
- A full set of updated contracts between the organisation and other processor organisations such as IT or payroll suppliers (see our earlier blog);
- Data protection impact assessments, where required;
- Data sharing agreements, where these have been prepared;
- Legitimate interests assessments, where these have been prepared;
- ‘Appropriate policy’ required where certain conditions are relied upon to process special category or criminal history data (Part 4, Schedule 1 of Data Protection Act 2018);
- Clearly drafted information governance policies - including with respect to document retention, information security and data breach notification;
- A record of staff training sessions;
- A record of data protection breaches and the follow up action taken, regardless of whether reported or not (see our earlier blog); and
- A record of requests received from data subject to exercise their individual rights and the response provided.
This collection of documents should become a live resource and record of the day to day data processing activities of the organisation. Where data processing activities change, these records must be reviewed and, where necessary, updated.
Data breach is a real risk for all organisations at any time and with the introduction of compulsory notification to the ICO, there is the real risk of ICO checking upon an organisation’s overall compliance. Therefore, even though the ICO follows a policy of proportionate and targeted regulatory action given its limited resources, the new accountability principle creates a real incentive for organisations to fulfil all of their data protection responsibilities all of the time.