Accountability is one of the seven principles of GDPR. The GDPR accountability principle requires data controllers to prove they’re GDPR compliant. Adhering to the accountability principle requires appropriate technical and organisation measures regular data privacy assessments and appropriate record keeping.
In short, controllers and processors must take responsibility for how they process personal data and comply with other principles.
What the accountability principle means
How to demonstrate accountability
Accountability by design and by default?
How Formiti helps you stay accountable
Article 5 (2) of GDPR states, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’) [emphasis added]”.
So, we can break accountability down into two parts:
- Responsibility for compliance: Being proactive and systematic about personal data protection.
- Demonstrating compliance: Showing proof of and justification for steps your organisation has taken to be GDPR compliant.
The accountability principle is also in Article 24, which requires controllers to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
In short, if you’re processing personal data, you are responsible and accountable for protecting that data.
How an organisation should show accountability depends on several factors, including the:
- Type of data being collected and processed
- Size of the organisation
- Sensitivity of data
- Risks to the rights and freedoms of individuals
GDPR does not specify what steps an organisation should take to show accountability. However, some steps might include:
- Implementing a data governance structure
- Completing a gap analysis
- Creating a data map
- Training staff members on data privacy regulation
- Conducting relevant privacy impact assessments, including data protection impact assessments (DPIAs) and legitimate interests assessments (LIAs)
- Appointing a data protection officer (DPO) if necessary
- Updating data privacy policies and notices with the principles of GDPR in mind
- Keeping a record of processing activities (ROPA), including records of consent and personal data breaches
- Utilising data processing addendums for all third-party vendors
- Management and recording of Data Subject Access Requests
The ICO recommends organisations adopt data protection by design and default approach because this approach will naturally lead to accountability and compliance. Data protection by design and by default simply means that data privacy is considered and appropriate policies are implemented for every step of the data processing journey–from collection to its eventual deletion.
GDPR legislation recommends several measures an organisation can take to ensure data privacy by design and by default. These are:
- Minimising data collection
- Improving security features
Formiti offers a full suite of data regulation services to help you stay compliant and accountable for every market your organisation is based on. Our services include: