When the GDPR came into force (almost a year ago) it introduced a new data protection principle (or rule): Accountability.
The accountability principle essentially says it’s not good enough that you think you’re compliant with data protection laws, you have to prove it. It’s spread throughout the GDPR:
- Documentary evidence of processing activities
- Contracts between controllers and processors
- Data protection impact assessments
- Records of consent given
- Records of breaches
So it should be no surprise that accountability should be at the heart of your data protection compliance strategy. In fact, it had a bit of a starring role at the recent ICO Data Protection Practitioners’ Conference (in April), with the Information Commissioner, Elizabeth Denham, highlighting its importance in her opening speech. In the speech she says:
“For me, the crucial, crucial change the law brought was around accountability.
Accountability encapsulates everything the GDPR is about.
It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.
It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”
Strong words that highlight the ICO’s thinking about how important accountability is in terms of data protection compliance. But, she also goes on:
“But I’ll be honest, I don’t see that change in practice yet.
I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out.
And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional.”
The Information Commissioner’s speech is a clear indication that the ICO don’t believe organisations are fully applying the accountability principle, which in turn opens that organisation to risk: risk to the way data is processed, risk to the rights of the data subjects and ultimately a risk to the organisation if they can’t demonstrate on inspection (by the ICO or others) that data protection compliance is fully embedded into the organisation.
So, where does that leave us in terms of what we should be doing to show accountability is at the heart of our data protection compliance?
Simply put it’s about demonstrating your compliant and that’s compliant today and to the best of your ability, tomorrow, next week, next month, next year… GDPR wasn’t just about 25th May 2018, it’s about now and the future too. So what should you be doing? The accountability list is a long one, and compliance isn’t a quick fix it’s an ever evolving, ongoing process, but here’s five key things you should be thinking about:
- Make sure someone within your organisation is taking responsibility for data protection and privacy compliance. Depending on your type of organisation you may have had to appoint a Data Protection Officer (DPO) who will (or should be) taking on that responsibility. If you aren’t required to have a DPO then it doesn’t mean you can’t appoint a DPO anyway. A lot of organisations appoint someone within the business who has data protection compliance added to their existing role – in our experience that could well be the HR manager, the marketing manager, someone from IT. Often that person might feel lumbered with the role, so they may need some nurturing, but whoever they are they need the support and resources from the whole organisation. Whatever you do, make sure you have someone leading on compliance – how can you demonstrate compliance if you can’t show that someone is taking responsibility for it?
- Make sure you understand what data protection compliance means for your business. Some of the documentation requirements will help you with this, but it’s as much about understanding how the data minimisation principle applies as it is what to do in case of a breach, for example. You need to understand the basics of data protection and apply them to the unique ways you’re processing data
- Make sure you have implemented the key documentation requirements of the GDPR: document what data you process, how you process it and where (i.e. what systems), record those consents, keep a record of subject access requests you deal with, keep a record of data breaches (whether they’re reportable or not), produce internal guidance and policies demonstrating you’ve thought through some of the challenging impacts data protection has on your organisation, and so on. Document, document, document!
- Make sure your employees understand the basics of data protection. They don’t need privacy degree level training, but they do need to understand the basics. This means you need an internal education program, you need to make sure new starters get data protection training as part of induction and you need to make sure (a) you regularly (probably annually) refresh that training and (b) allow your employees to understand enough for them to reflect on how data protection impacts their role – an appreciate that this may vary in some areas of the business, where data is used for a specific purpose (e.g. HR, marketing, etc.)
- Review your compliance on a regular basis. This is the focus of our ebook “A Framework for Ongoing GDPR Compliance” which sets out 10 key things you should be doing at least annually to ensure you’re still compliant. The accountability principle requires you to be able to demonstrate your compliance and how can you do that if you’re not making sure you’re still compliant on a regular basis? Not only that, the GDPR says “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.” (Article 24)
There’s so much to data protection compliance and accountability and what you can do is so much more than we can cover in this brief article, but with the ICO highlighting that there’s little evidence of accountability in practice, if you’re not already thinking about what you’re doing internally, now’s the time to start! And not having time or resource is no excuse – as the ICO put it recently (whilst highlighting issues with a company not renewing its data protection fee) “data protection doesn’t take a day off”, you need to be all over your compliance day in day out. Talk to us if you need help with that.