lntroduction

The General Data Protection Regulation (GDPR) states that accountability is the ability to demonstrate that a data protection programme has been implemented and is run in compliance with the law. Here, we briefly discuss accountability requirements, including data protection management systems, data protection impact assessments (DPIAs), privacy policies and the role of the data protection officer (DPO).

Accountability

The GDPR states that the controller must have a data protection programme.

It says (Article 24(1)):

‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary’.

The text specifies a risk-based approach to data protection resulting in technical and non-technical measures that can demonstrate compliance with the GDPR.

Controllers must review and update their systems to ensure they remain robust.

Data processors also have similar obligations to (Article 28(1)) in addition to other processor accountability obligations, such as record­ keeping. Where accountability obligations apply only to controllers, processors have a duty to support the controller in fulfilling those obligations e.g. contributing to audits (Article 28(3)(e)), and data subject access requests (Article 28(3)(e)).

An important aspect of accountability is the ability to demonstrate compliance with the GDPR. In order to demonstrate compliance with the GDPR, the data controller or data processor should maintain records of processing activities under its responsibility (Article 30). Each data controller and data processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations (Recital 82).

There are circumstances that will trigger a recording obligation. These include processing personal data for organisations of 250 or more employees. Or, regardless of the organisation’s size, controllers and processors are obligated to keep records if the processing is likely to result in a risk to the rights and freedoms of data subjects; is not occasional; or includes special categories of data or data relating to criminal convictions and offences.

Because this final trigger is broad, recording obligations likely will apply to organisations with fewer than 250 employees.

If required to keep personal data processing records, controllers and processors have slightly different obligations. These are:

Controller records (Article 30(1))

  • Name and contact information of the controller and the DPO;
  • Purposes of processing;
  • Categories of data subjects, personal data and recipients of the data;
  • International data transfers being made and the measures put in place to ensure they are lawful;
  • How long the personal data is being retained and the timeline for deleting that data;
  • A general description of technical and organisational security measures that have been implemented.

Processor records (Article 30(2))

  • Name and contact information of the processor, the controller and the DPO;
  • Categories of processing carried out on behalf of the controller;
  • International data transfers being made and the measures put in place to ensure they are lawful;
  • A general description of technical and organisational security measures that have been implemented.

Let us know if we can help you!

Author: Yvonne Morris

Email: yvonne@cloudlegalsupport.com

website: www.cloudlegalsupport.com

twitter: @CloudLegals

FB: fb.com/cloudlegalsupport

CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: