Accountability is an essential principle of the GPDR (General Data Protection Regulation). It requires organisations to take responsibility for compliance and to demonstrate their actions.
The concept was implicit in the GDPR’s UK predecessor, the Data Protection Act 1998, but the GDPR goes further, outlining specific measures that organisations must take.
We explain each of those in this blog, but first let’s look at why accountability is essential for GDPR success.
Why accountability matters
The GDPR’s accountability principle covers two distinct areas of compliance. The first is relatively self-explanatory: organisations are responsible for the way they process personal data.
There are no get-out clauses for compliance and you must be able to prove that you’re compliant if called upon – such as when your supervisory authority investigates a complaint or you suffer a data breach.
This covers GDPR compliance as an obligation – a set of rules organisations must follow to prevent disciplinary action.
But documenting your compliance practices is, equally, an opportunity for your organisation to improve its relationship with customers and third parties, because it allows you to show that you take data protection seriously.
How to be accountable under the GDPR
There are several things organisations should do to demonstrate accountability under the GDPR:
- Create data protection policies
Everything an organisation does to stay secure, from implementing new technology to developing physical barriers, relies on people using those systems properly.
Data protection policies ensure this happens, providing instructions for staff to follow.
Policies can also govern the general behaviour of employees in the office, providing advice on things like acceptable Internet use, password management and remote access.
- Achieve data protection by design and by default
This is the GDPR’s version of ‘privacy by design’, requiring organisations to consider information security risks at the outset of any processing activity and business practice.
The objective is for organisations to foresee any problems before they commit to a project. This enables them to find the best solution rather than whichever one can fit around the existing system.
- Draw up contracts between data processors and data controllers
A data controller is, in simple terms, the party that decides what personal information to process and the parameters for its collection – what lawful basis applies, how long the data will be stored, etc.
The data processor is the party that collects and stores this information, and it must do this in line with the data controller’s requirements.
In many cases, organisations will fulfil both functions, but in others, the data controller will hire a third party to process the information.
When that happens, it’s essential that the two parties sign a contract agreeing on their responsibilities. This ensures both parties understand what’s expected of them, and in the event of a data breach, makes it easier to identify who was at fault.
- Implement appropriate security measures
The GDPR states, somewhat vaguely, that “appropriate technical and organisational measures” are essential to manage risks.
It doesn’t go into specifics because best practices are always evolving as new technologies and threats emerge.
Organisational measures generally cover policies (which we discuss above) and staff training, whereas technological measures can vary greatly depending on the way your organisation operates.
Antivirus and anti-malware software are essential for most, as are network monitoring solutions and vulnerability scans. You will probably also benefit from encrypting personal data – particularly when it’s in transit – and using Cloud storage providers.
You can find out which other technological solutions are suitable after conducting a risk assessment.
- Record and report data breaches
You are required to keep a record of every security incident you experience, and if it poses “a risk to the rights and freedoms” of data subjects you must report it to your supervisory authority within 72 hours of becoming aware of it.
Reportable risks are generally those in which affected individuals face economic or social damage (such as discrimination), reputational damage or financial losses.
- Appoint a data protection officer
DPOs (data protection officers) are independent experts who monitor organisations’ data protection practices and advise them on how to achieve compliance.
Organisations are required to appoint a DPO if they are a public authority or body, regularly and systematically monitor data subjects, or process special categories of personal data on a large scale.
However, the help that a DPO provides means that many organisations would benefit from appointing a DPO even if they aren’t required to.
- Respond to data subject access requests
The GDPR strengthens individuals’ rights concerning the way organisations use their personal data.
To ensure this right is being met, individuals can submit DSARs (data subject access requests) – sometimes referred to as SARs.
This grants them access to copies of their personal data and other details about the processing, such as the data retention period and who the information has been (or will be) shared with.
Organisations have one month to respond to a DSAR, and there are several steps they must complete, so they need a process that ensures the information is sent correctly and promptly.
- Complete data protection impact assessments
A DPIA (data protection impact assessment) is a process that helps organisations identify and reduce risks when processing personal data.
A DPIA must be carried out whenever personal data processing is likely to result in a high risk to the rights and freedoms of individuals.
The GDPR doesn’t define a threshold for risk, but it does outline three types of processing that always require a DPIA: systematic and extensive profiling with significant effects, large-scale use of sensitive information, and large-scale public monitoring.
In addition, the ICO (Information Commissioner’s Office) says that DPIAs are necessary when implementing new technology, assessing denial of service, and processing biometric or genetic data.
It also states that DPIAs should be conducted when data matching, conducting invisible processing, tracking individuals’ movements or behaviour, targeting children or vulnerable people for specific types of processing, and processing involves risk of physical harm.
Accountability is a complex, ongoing task
We’ve listed a lot of tasks here, and you need to continually monitor them to ensure GDPR compliance success.
The way your organisation operates and the threats it faces are always changing, so to be truly accountable for your practices, you need to be sure that they’re appropriate for your current needs.
Our CyberComply platform helps you manage this task, containing tools designed to help you:
- Conduct risk assessments;
- Track regulatory requirements;
- Map the flow of data through your organisation; and
- Conduct DPIAs.
This Cloud-based application helps you take total control of your cyber risk and data privacy management monitoring and compliance.
Available on a monthly or annual subscription basis, CyberComply enables you to manage your GDPR compliance needs in a way that suits you.