Accountability
The GDPR is designed to ensure organisations are more accountable for their personal data processing activities.
This is emphasised by the fact that there is a new obligation to report data security breaches to the ICO within 72 hours of becoming aware of the breach and by the maximum level of fine that can be administered (€20million, or 4% of global annual turnover if higher). Hacking issues and leaks that have occurred over the past year or so emphasise the need for having a plan in place to contain and manage a data breach.
Accountability makes you responsible for complying with GDPR and means that you have to be able to demonstrate your compliance on an on-going basis and should a regulator later ask you for evidence. It can apply to any aspect of GDPR compliance, including for example:
- Implementing appropriate data protection policies and data security measures;
- Implementing appropriate training, awareness raising, monitoring and audits;
- Ensuring you have a record of processing activity where required;
- Ensuring you have appointed a Data Protection Officer where required;
- Adopting “data protection by design and by default”, and where appropriate carrying out data protection impact assessments;
- Having appropriate written contracts in place when engaging others to process data on your behalf.
The focus on accountability should also have an impact on record keeping relating to decision making under the GDPR. For example, you’ll need to keep a record of your assessment as to whether the legitimate interests condition for processing is met, and any decisions to supply or withhold information in response to a subject access request.