Accountability is not a new concept in data protection. The existing EU Data Protection Directive incorporates principles of transparency and fairness, and requires organizations to be responsible and accountable for their processing of personal data.
However, the General Data Protection Regulation (GDPR) has now explicitly codified the accountability principle in Article 24, which requires that organizations implement “appropriate technical and organizational measures” to be able to “demonstrate” their compliance with the Regulation. This includes “the implementation of appropriate data protection policies”, and the organization is further required to review and update those measures where necessary.
As a result, it is expected that more businesses will be making data protection compliance programs and privacy management systems a core aspect of their data protection practices.
The concepts of privacy by design and privacy by default underpin the accountability principle and are at the heart of the shift in mindset the GDPR aims to achieve.
The specific measures an organization should adopt to demonstrate compliance will depend on the nature of that organization—its size and structure—and the data processing it carries out. It is clearly not a one-size-fits-all approach and compliance mechanisms may vary. But the accountability principle’s broader significance is to require companies to take full responsibility for their data protection, throughout the lifecycle of data they and their processors handle.
The GDPR calls for a more proactive and holistic approach than the existing legal framework. Embracing this change will be central to an organization’s compliance and will mean taking a more holistic view. Data protection should be included as a core consideration from the initial design of a product or service to the end of the data lifecycle.
In practical terms, the accountability principle means that a business acting as a controller may need to implement some of the following key practices:
- Maintain more extensive records of their processing activities. This should include the purposes of the processing, the nature of the data, categories of recipients, the categories of data subjects, any transfers of personal data abroad, including documentation of suitable safeguards, timelines for erasure of data, and a general description of the technical and organizational security measures applied to the processing activities.
- Ensure effective and transparent communication with data subjects regarding the processing of their personal data, and their rights.
- Conduct a comprehensive review of subscription and application forms, privacy notices and any other relevant website terms.
- Review the manner in which any consents are collected from data subjects to ensure they are sufficiently clear, precise, freely given, and can be easily revoked.
- Ensure the implementation of appropriate technical and organizational measures to adequately protect the rights and freedoms of data subjects. In addition, ensure that any processors provide sufficient guarantees so there’s a flow through of these protective measures to third parties working on your behalf.
- Review data processing agreements to ensure you are incorporating the GDPR’s mandatory provisions, such as the obligations to assist with data subjects rights, security and data protection impact assessments, and address the appointment of subprocessors.
- Where applicable, some businesses must appoint a Data Protection Officer to oversee their compliance and act as a point of contact for customers on data protection issues.
- Businesses must be able to identify where processing is likely to involve high risks so they can carry out a data protection impact assessment (“DPIA”) to assess the nature of the risks and implement the necessary safeguards.
Accountability isn’t a principle that can be adopted just once. It should become central to how a company thinks about data protection over the long term, and will require a commitment to a proactive and systemic approach.
Each organization will need to examine its individual processes and procedures with accountability in mind. But for an organization, embracing the mindset shift introduced by the accountability principle will be an important step towards ensuring effective compliance with the GDPR.
Please be aware that this article is provided as information only and should not be treated as legal advice. Please contact Bristows LLP (www.bristows.com) for more information.