The GDPR sets out six principles relating to processing of personal data. These include ‘lawfulness, fairness and transparency’, ‘purpose limitation’ and ‘data minimisation’. But then the GDPR adds another principle – that the controller “shall be responsible for, and be able to demonstrate compliance with” these six principles. This is referred to as the “accountability” principle. The ICO has said that “Accountability encapsulates everything the GDPR is about”. But what does it actually mean in practice?
Accountability is about putting data protection at the heart of your organisation. It means that you must consider data protection and privacy issues upfront when you are planning any new initiative. It includes things like:
- implementing data protection policies;
- recording your processing;
- taking a data protection by design and by default approach;
- having written contracts in place with processors;
- implementing appropriate data security measures;
- recording and, where necessary, reporting data breaches;
- appointing a data protection officer;
- establishing processes for handling data subject rights’ requests; and
- carrying out data protection impact assessments where needed.
Towards the end of 2019 the ICO consulted on the idea of developing a toolkit to help organisations comply with their accountability obligations. The objective is to provide down to earth practical guidance on implementing privacy management programmes based on an understanding of technical challenges and other barriers (such as commitment to data protection from top management).
The ICO is planning to conduct a workshop on the toolkit in early February 2020. Following this, they expect to pilot the toolkit later in the year. It is hoped that this may help organisations, whose resources are already over-stretched, with achieving a good and practical level of compliance.