Accountability

Article 5 (2) of the GDPR states:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Where the principles relating to processing of personal data are: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

The accountability principle requires you to take responsibility for what you do with personal data.

More specifically, Article 30 of the GDP states:

Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.

The record must contain all of the following information:

  1.   the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer
  2.   the purposes of the processing
  3.   a description of the categories of data subjects and of the categories of personal data
  4.   the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations
  5.   where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
  6.   where possible, the envisaged time limits for erasure of the different categories of data
  7.   where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

Accountability is one of the data protection principles - it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.

You need to put in place appropriate technical and organizational measures to meet the requirements of accountability.

There are several measures that you can take, and in some cases must take, including:

  • Adopting and implementing data protection policies
  • Taking a ‘data protection by design and default’ approach (for more information, see Privacy by design)
  • Putting written contracts in place with organizations that process personal data on your behalf
  • Maintaining documentation of your processing activities
  • Implementing appropriate security measures
  • Recording and, where necessary, reporting personal data breaches
  • Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests
  • Appointing a data protection officer
  • Adhering to relevant codes of conduct and signing up to certification schemes

Use the Record of Processing Activities template to identify and track accountability issues.

Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.

If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organization.

Being accountable can help you to build trust with individuals and may help you mitigate GDPR enforcement action.