Accountability is one of the seven principles of GDPR. The accountability principle requires data controllers to prove they’re GDPR compliant. Adhering to the accountability principle requires appropriate technical and organisation measures regular data privacy assessments and appropriate record keeping.
In short, controllers and processors must take responsibility for how they process personal data and comply with other principles.
Article 5 (2) of GDPR states, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’) [emphasis added]”.
So, we can break accountability down into two parts:
- Responsibility for compliance: Being proactive and systematic about personal data protection.
- Demonstrating compliance: Showing proof of and justification for steps your organisation has taken to be GDPR compliant.
The accountability principle is also in Article 24, which requires controllers to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
In short, if you’re processing personal data, you are responsible and accountable for protecting that data.
How an organisation should show accountability depends on several factors, including the:
- Type of data being collected and processed
- Size of the organisation
- Sensitivity of data
- Risks to the rights and freedoms of individuals
GDPR does not specify what steps an organisation should take to show accountability. However, some steps might include:
The ICO recommends organisations adopt data protection by design and default approach because this approach will naturally lead to accountability and compliance. Data protection by design and by default simply means that data privacy is considered and appropriate policies are implemented for every step of the data processing journey–from collection to its eventual deletion.
GDPR legislation recommends several measures an organisation can take to ensure data privacy by design and by default. These are:
- Minimising data collection
- Improving security features
Formiti offers a full suite of data regulation services to help you stay compliant and accountable for every market your organisation is based on. Our services include: