Our guide to demonstrating GDPR accountability will give you an understanding of the accountability principle. You can use the table of contents in the right-hand sidebar to navigate to different sections.
Adhering to the data protection principles, as set out in Article 5 of the UK GDPR and the EU GDPR (GDPR) is vital when organisations are striving to comply with this legislation. Arguably, all principles are of equal importance and no particular principle is of greater significance than another. That said, the accountability principle is directly linked to all the other principles, as well as numerous Articles within the GDPR. This overarching effect means that a failure to comply with the accountability principle is likely to have serious consequences for an organisation’s overall data protection compliance.
In this guide, we’re going to break down the different aspects of how to demonstrate GDPR accountability including topics such as data protection officers, data protection impact assessments, codes of conduct and more.
What is accountability?
It is worth noting that accountability is not an entirely new requirement for organisations as it was implicit under the pre-GDPR data protection regime in the UK (Data Protection Act 1998). The difference now is that it is expressly required under the GDPR. Article 5(2) of the GDPR succinctly describes the accountability principle as an obligation on the controller to be responsible for and be able to demonstrate compliance with all of the other data protection principles. What this means in practice is that, if you are a controller, you need to take responsibility for how you process personal data and, not only comply with the principles but show that you comply. It is not sufficient to simply assert that you are adhering to the GDPR without any evidence in support. It is necessary to verify this with documented proof. We take a look at how to do this below.
Demonstrating GDPR Accountability
The most efficient way to demonstrate your compliance is to implement an accountability framework. This framework would consist of numerous fundamental parts, each designed to protect personal data as standalone elements and which, when applied together, would provide a robust data protection structure, enabling you to fulfil the requirements of the accountability principle. These elements are likely to include the following.
Data Protection Officer (DPO)
Article 37 of the GDPR places a legal obligation on organisations to appoint a DPO in certain situations. If those situations apply to your organisation, it’s imperative that you appoint a DPO as he/she will form a key part of your framework (and, thus, your demonstration of GDPR accountability). However, even if your organisation does not fall into this category, you may consider designating a suitably skilled and knowledgeable DPO on a voluntary basis. By taking this step, you will help ensure that you have advice and assistance on all data protection related matters as and when you need it. If you’re interested in learning more about the benefits of hiring a DPO, read our recent blog on how a ‘DPO can drive positive change’. This will help your organisation achieve and maintain compliance. See our previous blog for guidance on when to appoint a DPO – The DPO checklist evalian®.
In any event, it is important that you assign an individual with the requisite knowledge of data protection legislation to oversee your organisation’s data protection compliance. Remember, your organisation must still comply with all the other aspects of data protection legislation applicable to your business irrespective of whether you require a DPO – good knowledge and experience of data protection is important. If you don’t have these skills in-house, you can seek support from an organisation like ourselves.
Data Protection Policies
Another crucial element of the framework is that of data protection policies and Article 24 of the GDPR makes specific reference to this. The number of policies and the detail within them will vary from business to business. In particular, large organisations with complex and/or high-risk and/or numerous processing activities may need more policies than micro-organisations with straightforward, low-risk personal data processing activities. That said, all controllers are likely to require the following policies within a basic compliance file:
- Data Protection Policy;
- Data Subjects’ Requests Policy;
- Personal Data Breach Policy;
- Retention & Secure Destruction Policy;
- Data Protection Impact Assessment Policy;
- Data Protection by Design and by Default Policy; and
- Information Security Policy.
If appointed, your DPO may take responsibility for preparing, providing input into or approving these documents. However, once the policies have been drafted, the work does not stop there. They will need to be implemented which means that all employees who process personal data or have access to it, will need to be familiar with the policies and the documentation should be reviewed and updated on a regular basis, such as once a year, or more often if needed as a result of changes and/or developments in the law or within your organisation.
Information security is a key element of data protection but goes beyond personal data. A good information security policy and supporting documents should cover all company information assets and systems, not just the personal information you hold. But – and it’s a big but – personal data will be among your higher risk/impact information assets. As such, an up-to-date information security policy is an important element of your accountability framework even if the document does extend beyond personal data and is owned by another business stakeholder (such as your information security manager).
Record of Processing Activities (ROPA)
Under Article 30 of the GDPR, organisations must maintain a record of processing activities (commonly referred to as a ROPA), unless they are exempt (because they fall within the scope of Article 30(5)). Your ROPA sets out details of your personal data processing activities and will form the foundation of your framework. Even if your organisation is exempt, it is advisable to maintain a ROPA (or an inventory of the personal data that you process) and ensure that it is continually updated as this will not only assist you with satisfying the accountability principle but will enable you to see, from one document, exactly what your personal data processing activities are and identify any potential risks posed by your processing activities. It can also be developed into a full data map and data protection risk register, thereby creating additional benefits.
Having prepared a ROPA, you will be able to identify any third parties you are sharing personal data with, such as processors or other controllers and check that appropriate contracts are in place. Article 28 of the GDPR requires controllers to enter into Data Processing Agreements (DPA) with any processors they instruct. Such DPAs must be in writing and cover certain criteria and are an important piece of your framework.
It is also advisable to enter into written contracts with any joint controllers you have arrangements with. This is not an explicit requirement GDPR requirement, but it is our recommendation. Joint controllers are covered by Article 26, which doesn’t mandate a contract, but joint controllership gives rise to responsibilities and obligations which should ideally be agreed upon between the parties. Having a contract in place will help clarify the respective roles of the joint controllers and demonstrate a good level of data protection accountability.
Article 32 of the GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data. Technical measures cover, as the name suggests, technical controls used to mitigate information security risks. These will commonly include encryption, least privilege access management, strong user authentication and authorisation, anti-malware software, perimeter security controls (such as firewalls) and security assurance activities potentially including vulnerability scanning and penetration testing.
Organisational measures cover the non-technical controls that should be implemented including policies, procedures, awareness training, having defined security roles and responsibilities, identifying and managing security risks and performing non-technical assurance activities including incident response exercises and security auditing.
Again, ensuring you have evidence of all the security measures you implement is key for satisfying the accountability principle. For example, in terms of data protection awareness training, you should keep a register of who attended and when, together with a copy of the training material, proof that the learning was tested and that each member of staff achieved satisfactory results.
Personal Data Breaches
Many organisations accept that it is inevitable that they will have to deal with a personal data breach at some point if they have not already. If your organisation is unlucky in this regard, it is important that the incident is fully investigated and documented and, if necessary, reported to the supervisory authority and the data subjects affected, in accordance with Articles 33 and 34 of the GDPR. Keeping full details of any personal data breaches is a necessary task for the accountability principle (and a specific GDPR obligation under Article 33(5) but it will also enable you to identify and address any weaknesses and/or gaps in compliance.
A personal data breach policy or procedure will help ensure your employees know what to do in the event of a personal data breach and will form one of the information security ‘organisational measures’ referred to above. As well as having the policy, we’d recommend running a tabletop exercise at least annually, especially if you process higher risk personal data. GDPR doesn’t explicitly mandate incident response exercises but does require testing, assessment and evaluation of the effectiveness of security measures. Exercises will help demonstrate accountability in this regard and help mitigate the risks of a breach by improving your response capabilities.
Data Protection by Design and by Default
Under Article 25 of the GDPR controllers are required to comply with data protection by design and by default by ensuring that the data protection principles are embedded into all their processing activities. One way of demonstrating this and, therefore, obtaining the proof needed under the accountability principle, is to conduct Data Protection Impact Assessments, where required by law and, in some cases, even where they are not mandatory. We don’t suggest that you conduct a DPIA for every single processing activity but DPIAs are useful when implementing new systems or technologies that will process personal data to ensure that privacy risks are considered.
Data Protection Impact Assessment (DPIA)
A DPIA is a tool that controllers can use to identify, assess and minimise the data protection risks of personal data processing activities, and they link closely to the concept of Data Protection by Design and Default. Article 35 of the GDPR sets out the circumstances in which DPIAs are mandatory, namely, if the processing activities are likely to result in a high risk to the rights and freedoms of individuals. By conducting DPIAs where required, you will be effectively documenting that you have carefully considered and addressed the risks to individuals, which constitutes useful evidence for the accountability principle. If you’re interested to learn more on how to complete a DPIA, we recently posted a blog on the reasons you should complete a DPIA.
Codes of Conduct and Certification Schemes
Article 40 of the GDPR makes provision for Codes of Conduct and Certification Schemes and whilst signing up to these is voluntary, they are one way of demonstrating that your organisation complies with the GDPR. In the UK there are no approved Codes of Conduct yet, but the Information Commissioner’s Office (ICO) has approved the criteria for three certification schemes, namely ADISA ICT Asset Recovery Certification, Age Check Certification Scheme and Age-Appropriate Design Certification Scheme.
In addition to the above, to ensure your organisational and technical measures remain effective, we would recommend you introduce and document compliance with Key Performance Indicators in relation to data protection with a view to aiming for continuous compliance and/or improvement. By doing so, you can then identify issues and trends which will allow you to mitigate any identified risks before they become larger problems for your organisation.
An On-going Task
Therefore, if, as a controller, you implement and document the above measures, you will be creating evidence of your compliance with the GDPR, all of which can be used to fulfil your obligations under the accountability principle. Keep in mind, however, that the above is not simply a checklist that you can tick off when each item has been completed once. It is an ongoing task, and all of the elements must be revisited and updated on a regular basis. For example, reviews should be conducted at least once a year but more frequently where necessary, such as following a personal data breach or the proposed introduction of new processing activities.
What about processors?
We have focussed on the responsibilities of controllers in this blog because, as mentioned above, Article 5(2) of the GDPR specifically states that the obligation is on controllers to be responsible for and demonstrate compliance. This would suggest that the accountability principle does not apply to processors. However, when considering the rest of the GDPR it becomes apparent that processors do have a number of obligations and, unless they maintain written records in support of these activities, they may struggle to show their compliance. For example, in certain circumstances, processors are required to maintain a Record of Processing Activities and appoint a DPO, both of which require documented information. There are further obligations imposed on processors when they are instructed to carry out processing activities for controllers and when processors instruct sub-processors. In view of this, processors do have an obligation to demonstrate their compliance as well as controllers.
Further guidance on accountability can be found on the ICO’s website. In particular, the ICO has issued an accountability tracker in the form of an excel spreadsheet setting out the ICO’s expectations in relation to data protection compliance. The ICO also has an online accountability self-assessment tool which is made up of the main questions from the accountability tracker and takes around 50 to 60 minutes to complete. Once you have submitted all your answers, you will be presented with a high-level report, identifying the areas in which you have achieved compliance, together with the areas in which improvements are required.
What’s the point?
You may consider that following the above approach involves a great deal of work and you would be right. At first glance, complying with the accountability principle may feel like a daunting task and, as it is an ongoing obligation, it may feel like the work is never, ever done. However, it is achievable if each individual within your organisation plays their part so that, over time, implementing the above measures becomes business as usual. Once at this stage, the benefits are clear. By satisfying the accountability principle, it is likely that you will also be satisfying all the other principles under the GDPR, as well as the numerous GDPR Articles highlighted above.
By doing this work, you will be nurturing an in-house data protection culture where your employees have the privacy of personal data at the forefront of their minds and, as a result, personal data breaches are less likely to occur. This means that you will be minimising the risk of being subjected to formal enforcement action by your supervisory authority, as well as the unwanted glare of any associated negative publicity.
Further, as employees will know that your organisation takes their data protection compliance seriously and is careful to look after, not only client data, but employee data, this can help create a working environment, where staff know they can trust their employer with their personal data.
In addition to that, putting the above measures in place will lead to the added bonus of building trust and confidence with your clients and potential clients, thereby enhancing your reputation and giving you a competitive edge within your industry. Put simply, if you comply with the GDPR and can prove it, people are more likely to trust you and want to do business with you, which can only be a good thing!
That being said, as we highlighted in our recent blog regarding the DCMS consultation that took place in September this year, there could be some changes to UK data protection legislation in the near future. As always, we will keep you updated, watch this space.
Download the PDF version of the guide to demonstrating GDPR Accountability:
Read more articles and insights on our blog page.