What is the seventh of the seven data processing principles outlined in GDPR?
The seventh principle of data processing is accountability.
Based on the principle of accountability, organizations must be accountable for their data collection, processing and storage activities.
Organizations must be able to demonstrate that they have taken the necessary measures to comply with their GDPR obligations.
GDPR text on accountability
Article 5 of GDPR provides that personal data shall be:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”
As indicated by this article, the seventh principle of accountability is directly naming data controllers who are required to be accountable with their GDPR obligations.
What is accountability under GDPR?
There are two important elements to the principle of accountability:
- Demonstration of responsibility
Companies must be able to prove that they are responsible for data privacy and protection and they can demonstrate their compliance with the authorities.
How do you demonstrate accountability under GDPR?
To demonstrate accountability, you’ll need to show what are the efforts you’ve made to comply with GDPR and what are you doing to stay in compliance.
Are you taking any direct measures to comply with GDPR?
Are you proactive in data privacy compliance?
Has your organization implemented any specific measures to comply with GDPR?
Large organizations can implement controls to protect privacy, put privacy teams in place in charge of the company’s compliance obligations and monitor ongoing compliance.
Smaller organizations can implement proportionate risk-based privacy measures to show their compliance with GDPR and monitor their data processing activities on an ongoing basis.
Accountability is a broad principle
To be accountable under the GDPR principle 7, you must be able to prove your compliance with GDPR by showing concrete actions and steps taken on your part.
Accountability, yes, it’s a pretty broad principle!
This means that to be able to comply with the accountability principle, you first need to understand how GDPR applies to your business.
Once you understand your obligations under GDPR, you can then implement measures to ensure you comply.
What are the main obligations under GDPR to show accountability?
Accountability to comply with GDPR will mean different obligations for different organizations.
A small company touching non-sensitive data will have a different compliance obligation than a large organization collecting personal data for profiling purposes.
So what are the mean GDPR obligations organizations need to comply with?
Implementing data protection policies
By adopting data protection policies, companies can incorporate data protection principles and practices into their day-to-day operations.
When policies are implemented, internal stakeholders have clarity as to what they should and should not do.
Internal policies demonstrate that the organization is taking accountability for its GDPR compliance by incorporating measures in place to achieve that goal.
Implementing data protection by design
Showing accountability can be demonstrated by implementing data protection by design practices.
When rendering services or producing goods, by adopting data privacy by design approach, in every step of the production process or in every aspect of the goods produced, companies can be mindful of the privacy impact on consumers.
Data privacy by design will help you incorporate privacy practices in the production process along with default privacy standards incorporated in your goods and services.
Implementing security measures to protect personal data
Implementing security measures is one key aspect of showing accountability.
By implementing security standards, using secure tools, adopting security best practices and so on, companies are able to demonstrate their concrete steps taken in protecting personal data.
Every company is exposed to security vulnerabilities and every company can do more to secure personal data.
Often, GDPR violations and complaints are related to security breaches and unauthorized access or use of personal data.
By properly evaluating the security risk affecting your organization as it relates to personal data, you can mitigate as much risk as possible to safeguard personal data.
Implementing data breach and remediation policies
Implementing data breach and remediation policies is another crucial aspect of proving accountability.
Do you know what steps you need to take in the event of a data breach?
Do you have to report the data breach to the data protection authorities?
Do you have to record the data breach in a register?
Should you notify the data subjects involved?
What is the role of a data protection officer in the event of a data breach?
These are all questions you should answer before you encounter a data breach.
Being ready and prepared to handle a data privacy incident will demonstrate your readiness and proper understanding of your GDPR obligations to the data protection authorities.
Also, once a data breach is identified, what should you do to remediate the breach.
What measures will you take so the breach does not happen again?
Performing data protection impact assessment
A data protection impact assessment is an investigation of your data processing activities aimed at identifying risks to the data subjects and mitigating the risk.
In some cases, the DPIA is voluntary and in other instances it is mandatory.
For example, if you are processing personal data considered to be of high risk, you must perform an impact assessment.
A DPIA can cover a single data processing operation or multiple processing operations.
GDPR indicates that a DPIA is necessary when:
- You systematically and extensively collection personal data for profiling with significant effects on the individual
- Process special category of data on a large scale
- Systematically monitor publicly accessible areas on a large scale
Doing an impact assessment shows that you care to understand the privacy impact of your data processing operations and, thus, your accountability.
Appointing a data protection officer
Appointing a data protection officer is another way companies can show they take their accountability obligations seriously.
GDPR imposes a duty on organizations to appoint a data protection officer:
- If you are a public authority or body
- You carry out large scale, regular and systematic monitor of individuals
- You carry out large scale processing of special categories of personal data
Smaller organizations are exempt from appointing a data protection officer.
Nonetheless, whether you have an obligation to appoint a data protection officer or not, it’s a good practice to have someone within your organization who understands the privacy laws and who can help you navigate it.
The seventh principle of accountability under GDPR requires companies to prove and demonstrate that they took measures to comply with GDPR.
To comply with the accountability principle, it’s important to understand how your organization is subject to GDPR in the first place so you can then take the necessary measures to comply.
Since GDPR’s application can be different for different organizations, each company must assess its own unique obligations and comply with them.
Some measures that can be considered to demonstrate accountability are the following:
- Adopting data protection policies
- Documenting the data processing activities in your organization
- Implementing appropriate organizational and technical measures to protect personal data
- Carrying out a data protection impact assessment depending on your data collection, processing and storage needs
- Keeping a log of data breach incidents
- Implement remediation plans to any data breach or security vulnerabilities
- Assess your company’s GDPR obligations on a regular basis
- Adopt data privacy by design approach
Any proactive and concrete effort you’ve taken to comply with GDPR can help you demonstrate your compliance with GDPR and therefore your adherence to the principle of accountability.
For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?