This informal CPD article, ‘Meeting the Data Protection Accountability principle’, was provided by Essex County Council, the local authority for Essex, who have a vision for Essex to be a county where individuals, families and communities can thrive and prosper.
The Accountability principle at article 5 (2) of the UK GDPR states ‘The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (accountability).
Paragraph 1 are the other data protection principles which are:
1. Personal data shall be:
a) Processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
So how do you demonstrate compliance with these principles?
The Information Commissioners Office (ICO) who regulate information law provide guidance1 on each principle, including how they expect organisations to meet the Accountability principle. Data protection principles are the foundation of data protection law. The ICO state in their guidance:
‘Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.’
Helpfully, the regulator also provides an Accountability Framework2 to help you assess your organisation’s current practices and understand how you can evidence accountability. There is no one size fits all, as the level of accountability is in direct relation to the volume and type of personal data processing your organisation undertakes. The ICO set out ten categories they expect most organisations should have in place to evidence accountability.
ICO Accountability Framework
The type of evidence the ICO would expect to see under these categories include:
1. Leadership and oversight
- Organisational Structure including appointing a Data Protection Officer
- Appropriate Reporting to Oversight and Operational Groups
- Operational Roles & Responsibilities
2. Policies and procedures
- Direction and support
- Review and approval
- Staff awareness
- Data Protection by design and default
3. Training and awareness
- All staff training programme, including induction and refresher training
- Specialised roles
- Monitoring
- Awareness raising
4. Individuals’ rights
- Informing individuals and identifying requests
- Logging and tracking requests, including timely responses
- Monitoring and evaluating performance
- Individual complaints
5. Transparency
- Privacy notice content
- Timely and effective privacy information which is regularly reviewed
- Staff awareness
- Tools supporting transparency and control
6. Records of processing and lawful basis
- Data-mapping
- Records of processing activities requirements and good practice
- Documenting your lawful basis and consent requirements and reviews
- Legitimate Interest Assessment
7. Contracts and data sharing
- Data sharing policies, procedures and agreements
- Restricted transfers
- Controller-processor contract requirements
- Processor due diligence checks and reviews
8. Risks and data protection impact assessments (DPIAs)
- Identifying, recording, and managing risks
- Data protection by design and by default
- DPIA policy and procedures
9. Records management and security
- Creating, locating, and retrieving records
- Security for transfers
- Data quality
- Retention & Destruction schedule
- Rules for acceptable software use
- Business continuity, disaster recovery and back-ups
10. Breach response and monitoring
- Detecting, managing, and recording incidents and breaches
- Assessing and reporting breaches
- Notifying individuals
- External and Internal audits or compliance checks
- Use of performance and compliance information
All organisations should regularly check that they have in place the necessary mechanisms to demonstrate, and evidence, compliance with the Accountability principle at an appropriate level for their organization Should you need to report a personal data breach to the ICO they will likely ask to see evidence of accountability relevant to the particular circumstances of the breach.
We hope you found this article helpful. For more information from Essex County Council, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
References:
1. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/
2. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/