How to Demonstrate Accountability for GDPR Compliance?
Accountability is one of the most important data protection principles. Learn how to demonstrate this in your organisation with our key methods for ensuring compliance.
Accountability is one of the most significant principles of the UK GDPR. It shows to your clients, key stakeholders and employees that you’re committed to protecting personal data and take data protection seriously.
But how do you show accountability in practice? Previously, we covered example ways that guide this, and now, we’ll explore each method in detail.
What Is the Accountability Principle?
Under Article 5(2), the GDPR states that organisations are responsible for complying with the six following data protection principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
This responsibility falls within the accountability principle, which goes beyond knowing your obligations to being able to prove your compliance.
You need to demonstrate the measures you’ve taken to protect data subjects’ rights and freedoms so they can feel assured their personal data is in safe hands. Meeting this principle will improve overall compliance with the UK GDPR and demonstrate your organisation respects people’s privacy.
How Do You Demonstrate Accountability?
So, how do you comply with the accountability principle? While there may be no specific way, below, we outline some of the best measures you can take:
Implement Data Protection Policies
Under the UK GDPR, you must implement data protection policies where appropriate. It’s just one part of the GDPR documentation required to help comply with your legal obligations.
What policies you may have will vary from business to business, but there are some that should be mandatory across all:
- Data Protection Policy
- Privacy Notice
- Employee Privacy Notice
- Data Retention Policy
- Records of Processing Activities
For more guidance, see our latest guide on writing a data protection policy. We outline what needs to be covered and why policies are essential for your business.
Once the policies are approved, the real work begins. Your data protection officer (DPO) or senior management must ensure your employees know these policies and what is required of them in their day-to-day roles when handling personal data.
Organise Processor Contracts
If you engage with organisations who handle personal data on your behalf, such as a CRM, you should enter a written binding contract called a Data Processing Agreement (DPA). This agreement outlines the roles and responsibilities of both parties for the processing, holding both accountable in meeting the obligations.
The contract or legal agreement should specify that the processor must follow your documented instructions unless the law requires otherwise and ensure their staff keeps the data confidential. It should also state that the processor must help the controller manage individuals’ rights requests and agree to audits and inspections.
The ICO provides more detail on what to include in your contract. A contract will help key parties understand their obligations and demonstrate good accountability.
Carry Out & Maintain RoPAs and DPIAs
Assessing and recording your processing activities shows you’re doing everything in line with your accountability obligations.
Before completing a record of processing activities (RoPA), we recommend a data mapping exercise. A data map draws out what personal data you process, where it comes from and goes, and how you store it. This is the foundation of your RoPA, which documents how and why you’re processing data. Listen to part one and part two of our RoPA roundup for more insight.
Where processing is considered a high risk to data subject’s rights and freedoms, you should assess potential data protection risks alongside recording your activities. A data protection impact assessment (DPIA) helps identify and minimise these risks from the start of new projects, allowing you to address these risks before they potentially arise.
This GDPR documentation helps maintain transparency and accountability across your organisation. To maintain this, make it easily accessible so employees can keep it up-to-date and accurate.
Employ a Data Protection Officer
Organisations should identify a responsible person to assist in the organisations efforts towards data protection compliance. Where applicable, organisations will hire a data protection officer (DPO) who has specific tasks they should carry out under Article 39 of the UK GDPR. There are certain criteria that is met where appointing a DPO is a legal requirement, you can Discover if you need to appoint a DPO in our blog.
You can hire your DPO in-house or outsource it, the latter being ideal for eliminating conflicts of interest. At Data Protection People, our outsourced DPOs work independently from internal affairs and act solely on behalf of the law. Should you not require one, you should ensure someone is responsible for managing your obligations.
Schedule Data Protection Training
Now that you have organised all the policies, procedures and measures, you need to implement them. Your employees should receive appropriate data protection training to ensure they are aware of their responsibilities.
Essential training may include handling subject access requests (SARs), managing personal data breaches or becoming a Data Champion. This training should be regularly refreshed to demonstrate your commitment to data protection.
Put Security Measures Into Place
Information security protects personal data from falling into the wrong hands. To demonstrate accountability, you must have the following:
- Policies and procedures for creating, locating and retrieving records
- Security measures in place for data transfers
- Procedures for maintaining data quality
- A data retention schedule based on your business needs
- Methods for destroying personal data
- An information asset register which holds details of all company software and hardware
- Acceptable Use procedures of software (systems or applications)
- An access control policy
- Measures for preventing unauthorised access
- BYOD and remote working policy
- Business Continuity plan
Stay Compliant with an Outsourced DPO
Complying with the accountability principle is not a one-off task. You need to nurture a strong data protection culture in which your employees prioritise data privacy.
Our outsourced DPOs will continuously monitor your compliance, providing expert advice, managing risks and implementing best practices tailored to your business needs. Contact our team to learn more.