The Data Protection Act 1998 (“the DPA”) provides a legislative framework that is principle based, rather that one which is centred around lots of prescriptive rules. This approach is continued under the GDPR and Article 5(1) of the GDPR sets out 6 principles that are broadly similar to the 8 principles currently found in Schedule 1 to the DPA. The idea of accountability has been implicit in the field of data protection and privacy for some time now; however, the GDPR introduces explicate requirements around accountability, which can be found in Article 5(2).
The accountability principle means that data controllers will not only be responsible for ensuring compliance with the principles in Article 5(1) of the GDPR, but will also be responsible for being able to demonstrate compliance with the principles in Article 5(1). The GDPR also ends the current position whereby the statutory obligations all fall upon the data controller; data processors have certain statutory obligations under the GDPR and they will also have to demonstrate complaince with their obligations.
The accountability principle essentially means that there is an expectation that organisations will have in place comprehensive, but proportionate, governance measures. Many aspects of good practice that the ICO has recommended for a long time, such as privacy impact assessments (known as “Data Protection Impact Assessments” under the GDPR) and privacy by design, will be required in certain circumstances under the GDPR. They, of course, remain good practice where there is no legal obligation.
Under the DPA, data controllers are subject to a notification requirement which means that they must register with the ICO every year and pay a fee. As part of the notification procedure, data controllers give the ICO certain information about what personal data they are processing and how they are using it. The GDPR does away with the requirement to notify the ICO (it should be noted that the UK Parliament has already passed legislation which, if formally commenced, would re-introduce the registration requirement), but part of the accountability requirements under the GDPR requires certain data controllers to keep internal records of their processing activities. It is likely that the ICO will want to see these records when conducting any of its responsibilities as the supervisory authority. It would probably be considered good practice for all data controllers to keep such records, even if the GDPR does not require it.
All organisations with 250 or more employees are required to keep records of their processing activities. Furthermore, organisations with fewer than 250 employees are required to maintain records of activities related to higher risk processing, such as processing personal data that could result in a risk to the rights and freedoms of individual; or processing of special categories of personal data or criminal convictions and offences.
Accountability under the GDPR is all about being able to demonstrate compliance with the law. This will require organisations to have in place good policies and procedures and also a strong culture around record keeping.
If you would like advice on the accountability principle of the General Data Protection Regulation, or any other information law matter, then you can contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send him an E-mail directly.