While the principle of accountability has been an implicit requirement in the local European data protection laws, the GDPR emphasizes its importance by introducing explicit provisions.
Article 5(2) requires the controller to:
“… be responsible for, and be able to demonstrate compliance with [principles relating to processing of the personal data],”
Article 24 of the GDPR requires the data controllers to:
“… implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
The above means that accountability requires a good understanding of which personal data you process, why you process it, and the legal grounds that apply to the processing. This is not just a box-checking exercise. The understanding should be systematic and ongoing, while demonstrating compliance means that you can prove this understanding at any time.
The three main principles of accountability
To embed accountability throughout your organisation, you need to make sure that the following three principles are implemented (T. Troester-Falk “An Accountability Approach to Demonstrating Compliance” , CPO Magazine, September 2016):
1. Responsibility:
- The appropriate technical and organisational measures have been implemented and are maintained proactively, systematically, and on an ongoing basis.
2. Ownership:
- The technical and organisational measures are embedded at each level in the organisation, within each department or function that processes the personal data.
3. Evidence:
- The relevant documentation can be produced and used as evidence to demonstrate compliance at any time. Compliance should be demonstrated to the data protection authority, and to interested parties (clients, employees, etc.).
What is the key enabler to embed the responsibility and ownership?
Data governance, in terms of the GDPR and the Accountability Principle, goes far beyond the need to appoint a Data Protection Officer (DPO) to be held accountable for the enterprise-wide privacy program. It encompasses the people, processes, and information technology that ensure that important data assets (personal data being one of them) are formally managed throughout the enterprise, and clear decisions are made.
In order to enable the business to obtain the relevant and correct data, it is important to make a uniform and transversely aligned process of data loading and transformation. Similarly, the data marts should be governed in the same manner.
As such, data governance is a key enabler to embed the responsibility and ownership, as without it:
- You won’t be able to define the processing purposes of the data.
- You won’t be able to manage and control the data and its quality according to the responsibilities you have for it.
- Getting the data in a relevant form and of the right quality is a burden for the business, which needs to have access to the right data in the right form at any time.
- Finally, you won’t be able to optimize the value you could retrieve from the data.
Data governance implies the implementation of the following items:
- Common understanding of the data the organisation holds. It requires the implementation of:
- an enterprise-wide data model and business glossary – these two items help your organisation to create a common view on data, meaning that everyone within the organisation talks about the same concepts and uses the same terminology to describe these concepts. This will eventually reduce inefficiencies that result from several business lines handling the same data without realizing it.
- information classification – depending on the risk associated with the information, appropriate control measures need to be put in place. The classification of the information can be structured around the ISO 27k standards that identify three distinct dimensions of the confidentiality, the integrity, and the availability (CIA) and the risk appetite of your organisation.
- A control plan over data and a remediation action plan, if necessary – while creating your control plan, keep in mind that on one hand, the control plan has to show evidence of compliance, while on the other hand, your IT should contain the fewest number of controls possible so as not to add overhead to the existing processes. Use a risk-based approach as your guidance.
- Data ownership Implementation by assigning the roles, and ensuring that data owners can exercise their duties and the supporting normative framework of policies, standards, procedures, and/or guidelines.
- Properly defined policies and procedures will help you set up basic rules for data governance and make sure that the outcome will be achieved in a coherent and effective way.
- The ownership of data and information lies within the business side of the organisation, as they can truly understand the value and risk of information. The business will therefore have to take up formal ownership and clarify the constraints, the business rules, the required data quality, etc.
What can serve as evidence to demonstrate compliance?
As many as 39 articles of the GDRP require evidence to demonstrate compliance. The GDPR sets different ways to demonstrate compliance, e.g.:
- Implementing the data protection processes. Formal documentation can be provided as evidence.
- Maintaining and implementing organisational measures, such as policies and procedures. A control log can serve as evidence.
- Implementing an organisational chart with described roles and responsibilities. A control log can be evidence of effective implementation.
- Last, but not least, is running a data protection impact assessment (DPIA), where appropriate. As stated in the Article WP29 draft guidance on DPIAs: “DPIAs are important tools for accountability, as they help controllers not only comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the regulation. In other words, a DPIA is a process for building and demonstrating compliance.”
Things to remember
Executing accountability obligations under the GDPR involves more than checking a box. The regulation impacts your organisation on every level, whether processes, people, or technology. When implementing it, you should keep in mind that having a one-time snapshot of your organisation’s situation will not make you compliant. Compliance comes through the ability to demonstrate the existence of the ongoing, embedded processes that support the compliance at any time, and showing evidence of it.
Start from defining the appropriate technical and organisational measures to keep your personal data under control and to govern it by the appropriate owners. Do not forget to keep the evidence of the above. The evidence should be available off the shelf at any point in time to demonstrate it to your regulator.