In this article, I will explain the different things you need to know about accountability, which roughly means that you as a data controller are obliged under the GDPR to document your compliance, in order to clearly demonstrate your compliance to a supervisory authority.
The CNIL, which is the official French supervisory authority, as well as the ICO for the UK, gives the following definition for accountability.
|Accountability refers to the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules. |
The principle of accountability is enshrined in Article 5(2) of the GDPR, which dictates the principles for processing personal data.
Article 5 – Principles for processing personal data
1. Personal data must be:
(a) Processed lawfully, fairly, and transparently with respect to the data subject (lawfulness, fairness, transparency);
(b) Collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes shall not be considered, in accordance with Article 89(1), as incompatible with the original purposes (purpose limitation)
(c) Adequate, relevant, and limited to what is necessary for the purposes for which they are processed (data minimization)
(d) Accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. (accuracy)
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be kept for longer periods insofar as they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject are implemented. (limitation of storage)
(f) Processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by means of appropriate technical or organizational measures (integrity and confidentiality);
2. The controller is responsible for compliance with paragraph 1 and is able to demonstrate compliance (accountability).
Recital 75 of the RGPD clarifies the notion of accountability in relation to its responsibility and documentation obligation
Recital 74 Responsibility and Liability of the Controller
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established.
In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.
Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
The GDPR indeed provides for different things that will allow the creation of a documentary folder. So what type of documents is provided for in the GDPR to be able to demonstrate its good compliance.
The CNIL in its practical sheet “documenting your compliance” lists the different things to insert in your documentary folder
Documenting your compliance (CNIL)
The documentation on your personal data processing
1. The register of processing operations (for data controllers) or categories of processing activities (for processors),
2. Data Protection Impact Assessments for processing operations that are likely to generate high risks for the rights and freedoms of individuals
3. The framework for data transfers outside the European Union (in particular standard contractual clauses or BCRs).
Information to individuals
1. Information statements,
2. Models for collecting the consent of the persons concerned.
3. The procedures put in place for the exercise of the rights of individuals.
Contracts that define the roles and responsibilities of the actors
1. Contracts with subcontractors
2. Internal procedures for dealing with data breaches,
3. Evidence that data subjects have given their consent when their data is processed on that basis.
Accountability will be complete when your documentation file contains all the elements that demonstrate that you are in compliance with your obligations regarding the GDPR.
The elements constituting your documentation file will have to be checked regularly and updated if necessary.
This is a brief introduction to GDPR accountabilty .
I invite you to contact a RGPD consultant or a DPO for more information and help for the implementation