The Global Privacy Enforcement Network has conducted an annual intelligence gathering operation resulting in the 2018 GPEN Sweep Report published in early March 2019. The Report summarises the findings of the survey carried out by Data Protection Authorities on the implementation of the data protection principle of accountability into organisations’ internal policies and procedures.
In this piece, we look at these findings focusing on the UK and Irish organisations. Drawing on these findings, we then present the take-away messages that organisations should bear in mind to enhance accountability towards data subjects, the public and the supervisory authorities.
One of the novelties of General Data Protection Regulation (EU) 2016/679 (‘GDPR’) is the explicit addition of the principle of accountability in the data protection principles. Accountability means that organisations are responsible for and able to demonstrate compliance with the data protection principles. Accountability requires the design and implementation of appropriate measures and records in order to be able to demonstrate compliance with the GDPR.
The UK Information Commissioner’s Office (ICO) and the Irish Data Protection Commission contacted around 30 organisations across various sectors in the UK and Ireland respectively. The main findings on accountability in these jurisdictions are summarised as follows:
- Most organisations have implemented internal data protection policies and designed data protection training;
- Most organisations have appointed a person or function responsible for data protection governance and management;
- A large number of organisations have self-assessment and monitoring measures in place;
- Quite a significant number of organisations, around 30 % of the participants, admitted that they do not maintain records of processing.
What accountability means in practice
Despite these largely positive findings, it was also noted that, in many cases, organisations were not in a position to provide evidence of the alleged accountability measures. Although accountability is not static, there are some basic steps organisations should follow as part of revising their policies and keeping them up-to-date. In specific:
- Consider your role on a case-by-case basis: Both data controllers and processors are accountable under the GDPR;
- Create a data flow diagram (data map) to understand the data input and output and the associated responsibilities and risks;
- Identify and assess your existing policies, potential legal and organisational loopholes and set a timeframe to update them;
- In line with your accountability obligations under the GDPR, consider creating a checklist with all the expressly provided accountability obligations to check whether your staff are aware of them and whether policies and procedures for addressing these obligations are in place;
- Transparency is strictly linked to accountability. Explain to data subjects and the public what you do with their personal data. Check whether your privacy policies are updated and whether they cover all your activities, including marketing, recruitment, fundraising etc;
- Check whether the information communicated to the public is updated, including your contact details, the nature and scope of processing activities and the contact details of your DPO;
- Adopt measures to handle security incidents and personal data breaches. Create mechanisms to make sure that any incident will be communicated in a timely manner within the organisation and that the affected data subjects and supervisory authorities will also be notified in accordance with law;
- Design training for all your staff, including training and information-awareness for new entrants and refreshers;
- Schedule regular checks and nominate staff in charge of reviewing and updating the internal policies per process and department;
- Check the best practices in the industry and apply them with respect to your obligations under law. For example, financial organisations and public authorities are subject to higher scrutiny;
- Make sure that you comply with national standards and requirements. For example, if you conduct criminal records checks as part of your HR and recruitment policies, under the UK Data Protection Act 2018, there is the additional accountability requirement for an appropriate policy document.
What can be concluded is that accountability is not only a high-level principle but a principle that transcends all data processing operations and requires concrete and tailored measures. Therefore, accountability should not be seen as a remedy to data protection flaws and organisational inadequacies but rather as demonstrated evidence that your organisation is seeking to follow best practice in the area of data protection.
For more information please refer to our service pages or contact our Data Governance team.