GDPR: Accountability and Governance
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations.
What is the accountability principle?
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
How can I demonstrate that I comply?
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
You can also:
- Adhere to approved codes of conduct and/or certification schemes.
Records of processing activities (documentation)
As well as your obligation to provide comprehensive, clear and transparent privacy policies, if your organisation has more than 250 employees, you must maintain additional internal records of your processing activities.
If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:
• processing personal data that could result in a risk to the rights and freedoms of individual; or
• processing of special categories of data or criminal convictions and offences.
What do I need to record?
You must maintain internal records of processing activities. You must record the following information. There are some similarities with ‘registrable particulars’ under the DPA which must be notified to the ICO.
- Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer).
- Purposes of the processing.
- Description of the categories of individuals and categories of personal data.
- Categories of recipients of personal data.
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
- Retention schedules.
- Description of technical and organisational security measures.
You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.
Information gathered from www.ico.org.uk.