Out of the seven data protection principles within the General Data Protection Regulation (GDPR), the accountability principle stands out as one of the broadest and most significant aspects of compliance for organisations processing personal data. Article 5 outlines that in addition with needing to comply with the other six principles of the GDPR, organisations also need to demonstrate their compliance with the other principles.
Under the Data Protection Directive, which pre-dates the GDPR, organisations used to be required to inform their local data protection authority of the processing activities they were intending to carry out. Since the introduction of the Directive, it has become widely recognised that organisations can, and should, incorporate privacy considerations consistently throughout the way they run their business.
The introduction of accountability principle within the GDPR replaces the previous obligation to inform the data protection authority and instead compels organisations to take a greater degree of responsibility over both monitoring and demonstrating their own compliance.
This principle is also embodied in and essentially equivalent the UK GDPR and the Data Protection Act 2018, which is specific to the United Kingdom.
Understanding Accountability in the GDPR
The accountability principle is a key aspect of the GDPR, requiring organisations to be responsible for and to be able to demonstrate compliance with the GDPR and the other GDPR principles. It ensures that organisations uphold ‘data protection by design and default’ as accountability requires data protection to be incorporate in all aspects of an organisation’s processing activities.
It is easier for an organisation to show accountability if they have considered how best to comply with data protection principles from the very the outset of developing a product or service, rather than retrospectively trying to comply. For example, an organisation conducting a retrospective review after already having decided to launch a product that collects and stores user data may find that unnecessary categories of data are being collected and stored in a way that is not sufficiently secure.
This will require destroying the unnecessary data fields, as organisations are not allowed to store data beyond what is necessary for the purpose for which they are collected, and will also require all the data to be migrated to a more secure platform which does meet the technical and organisational security requirements. This is an example of something which could have been avoided had the organisation evaluated their data processing prior to launching their product and collecting data, which is also an obligation under the GDPR in addition to being more efficient.
Additionally, there are a number of benefits that the accountability principle ensures for organisations that comply with it. Firstly, organisations can build trust with customers and leverage their adherence to the data protection principles in order to enhance their reputation. Secondly, in the case that an incident occurs and an organisation faces scrutiny from supervisory authorities (such as the Information Commissioner’s Office), being able to demonstrate that the risks of data processing were considered and the organisation had put relevant safeguards in place can mitigate against enforcement action from the regulator.
Without such safeguards in place which demonstrate accountability, an organisation can face fines of up to 20 million euros, or 4% of their total worldwide annual turnover, whichever is higher (Article 83(5a)). Furthermore, by providing internal training and procedures that inform staff how to handle data and which explains aspects such as how to report a breach, it ensures the likelihood of any incidents caused by confusion regarding the internal procedures for handling data is reduced.
Key Roles – Data Protection Officer
Part of ensuring accountability is about having the right people in an organisation to interpret the legislation and to be responsible for monitoring how an organisation is adhering to it, taking steps to ensure that data is always processed lawfully.
Article 37 of the GDPR requires many organisations to appoint a Data Protection Officer. Amongst other responsibilities, the Data Protection Officer has statutory responsibilities under Article 39 GDPR to inform and advise the organisation about their GDPR obligations. They are also responsible for monitoring compliance with the regulation, undertaking data protection impact assessments, co-operating with the supervisory authority and providing staff training.
To ensure a level of objectivity, a Data Protection Officer must report to the highest management level and operate independently.
Organisational Measures for Implementing Accountability
The most important implication of the accountability principle is that it is a comprehensive requirement and not a ‘box-ticking or one-off exercise’ (ICO). Instead, organisations may need to implement a wide range of measures to adhere to the principles.
With regards to the processing of personal data, organisations may need to do the following to ensure accountability:
- Create and maintain a record of processing activities (ROPA) as per Article 30 of the GDPR which will form the foundation of an organisation’s accountability framework. A ROPA sets out the details of the personal data processed by the organisation, capturing the data processing activities;
- Creating and implementing data protection policies which are reviewed and updated regularly to ensure they remain effective;
- Having written contracts in place with data processors and other third parties;
- Ensuring appropriate technical and organisational security measures are in place;
- Providing data subjects with sufficient privacy notices; and
- Completing Data Protection Impact Assessments (DPIAs) before engaging in processing which is likely to result in high risk to the rights and freedoms of individuals. These can be used to assess, identify and minimise data protection risks.
To ensure accountability within the organisation, the following may be needed:
- Implementing internal procedures and conducting training for staff; and
- Hiring a data protection officer.
In order to demonstrate accountability, organisations should be:
- Keeping up-to-date records of processing activities; and
- Carrying out audits and utilising metrics to demonstrate ongoing compliance.
It is important to note that ensuring accountability is a continuous process which does not stop even when the measures outlined above are in place. This is particularly relevant when considering how intertwined accountability is with the other data protection principles. For instance, the principle of integrity and confidentiality requires data to be processed in a manner that ‘ensures appropriate security’ which includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Utilising appropriate technical and organisational measures is also a requirement for demonstrating accountability, as data controllers have to demonstrate that they have assessed the appropriate level of security required depending on the potential risks of the processing in question (Article 32(1) UK GDPR).
Security Measures and Data Breaches
Article 32 of the GDPR mandates that organisations need to implement appropriate technical and organisational measures to protect personal data and ensure adequate levels of risk.
In doing so, organisations need to have technical measures such as pseudonymisation, anonymisation and encryption of personal data, whilst also ensuring that the data is backed up and able to be restored in a timely manner. The data storage environment must be regularly tested and to ensure confidentiality, integrity and resilience and least privilege access management and strong user authentication.
It is not only enough for organisations to have these measures in place, but they must have robust policies, procedures and reporting structures (internally and externally) in place to demonstrate how they protect the personal data. In doing so, this also helps organisations understand, map out and plan how they will protect the personal data.
Additionally, there should be a data breach policy and/or procedure in place. A personal data breach policy or procedure will help ensure employees know what to do in the event of a breach. If personal data breaches occur, it allows the organisation the opportunity to see whether the data was being protected in line with its policies or procedures and to make additional changes to the technical and organisational measures to adequately protect the data. This also provides the opportunity to benchmark future personal data breaches against previous ones to see if lessons have truly been learned.
Contracts
An effective measure for data controllers to take is to ensure that there are written contracts in place with other organisations when they share personal data, or for organisations who process data on their behalf. One of the key data protection compliance components is to have data processing agreements in place with data processors who process data on their behalf and data sharing agreements in place for other data controllers whom they share personal data with.
Data processing agreements need to have all the requirements stipulated under Article 28(3) GDPR and updated regularly.
Compliance and Enforcement
As the accountability principle requires organisations to be transparent and responsible for their data processing activities, there is the possibility that external parties, such as the data protection supervisory authority will look at the accountability documentation.
Remember, it is organisations, not data protection authorities who must demonstrate compliance with the law. They must have adequate documentation on data processing with documented processes and procedures to tackle data protection issues.
In the event of a personal data breach, or a reported breach of the data protection legislation, the data protection authority will request to look at the accountability documentation and make a decision on whether the organisation has successfully complied with the legislation and whether they will take any remediation action. Therefore, it is important for organisations to see their procedures aiming to be visible by data protection authorities and other organisations. Such a mindset can help reduce reputational damage.
In the UK’s case, the Information Commissioner’s Office has issued an accountability tracker as part of its Data Protection Audit Framework which is designed to be a self-assessment tool to help organisations understand their compliance with data protection law and demonstrate how they comply with it.
Artificial Intelligence and Accountability
With the increase in AI-enabled services and products that process personal data of users, it is important to consider the accountability implications of using and developing AI systems. The Information Commissioner’s Office (ICO) has warned that organisations cannot delegate their data protection responsibilities to the scientists or engineering teams who work on AI algorithms. Instead, the organisation’s senior management, which includes the DPO, are also accountable for understanding and addressing data protection related issues that arise from using AI. The ICO identifies the main AI-related considerations regarding accountability as:
- Undertaking data protection impact assessments for AI systems;
- Identifying whether you are a controller or processor for specific processing operations involved in the development and deployment of AI systems and the resulting implications for your responsibilities;
- Assessing the risks to the rights and freedoms of individuals, and addressing them when you design, or decide to use, an AI system; and
- Justifying, documenting and demonstrating the approach you take, including your decision to use AI for the processing in question.
Conclusion and Summary
The accountability principle is the requirement to comply with and demonstrate compliance with the GDPR.
It actively places an obligation for organisations to implement data protection by design and default into their data processing activities and to undertake and conduct data protection impact assessments to assess potential risks at an early state of a data processing lifecycle.
Organisations need to appoint Data Protection Officers (where applicable) to help adhere compliance with the regulation and to ensure that such measures are adhered to.
Organisations need to have adequate technical and organisational measures in place to protect personal data.
Additionally, it requires organisations to ensure that they have a data protection framework in place, complied of regularly reviewed policies and procedures as well as contracts with third parties who will process data or be shared data with.
This article was aimed at familiarising you with the accountability principle, how to comply with it, the benefits it ensures, and the key considerations regarding AI. If you have any questions or want expert support in helping you demonstrate compliance with the GDPR principles, check out our services or send us an enquiry at info@informationgovernanceservices.com.
Frequently Asked Questions
What is the accountability principle?
The accountability principle GDPR is the requirement for a data controller to be responsible for, and to be able to demonstrate compliance with the 6 other GDPR principles.
What are the 7 principles of the GDPR?
There are 7 principles in the GDPR, 6 principles which are held together with accountability as an umbrella principle. The principles are:
- Lawfulness, fairness and transparency;
- Purpose limitation;
- Data minimisation;
- Accuracy;
- Storage limitation;
- Integrity and confidentiality; and
- Accountability.
What is accountability according to the GDPR?
Accountability under the GDPR is twofold. Firstly, it is to be responsible for complying with the GDPR. Secondly, it is to demonstrate how you comply with the GDPR by taking responsibility for what you to do protect people’s personal data and their rights.
What is the adequacy principle of the GDPR?
There is not a specific adequacy principle under the GDPR. Adequacy falls under ‘data minimisation’ which predicates that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Essentially, the minimum amount of personal data needs to be used for the purpose it is used for, without capturing excessive information which does not need to be captured for that purpose.