The accountability, governance and transparency provisions defined within the regulation emphasises, extends and elevates the implicit requirements of the existing Data Protection laws. Under GDPR you are expected to implement comprehensive but proportionate governance measures. Best Practice, such as, privacy impact assessments and privacy by design become legally required after GDPR becomes law on May 25th 2018
These measures are designed to minimise the risk of breaches and uphold the protection of personal data. Essentially, this means organisations will have to implement more policies and procedures even if they already have good governance in place.
What is the accountability principle?
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and explicitly states that this is your responsibility.
How can I demonstrate that I comply?
To demonstrate that you comply with GDPR you must:
- Implement an appropriate level of technical and organisational measures that ensure and demonstrate that you comply. This is likely to include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant and documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
a) Data minimisation;
d) Allowing individuals to monitor processing; and
e) Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
You can also adopt and adhere to an approved code of conduct for your industry or market sector. A code of conduct, written by an industry body or trade association, will typically cover:
- fair and transparent processing;
- legitimate interests pursued by controllers in specific contexts;
- the collection of personal data;
- the pseudonymisation of personal data;
- the information provided to individuals and the exercise of individuals’ rights;
- the information provided to and the protection of children (including mechanisms for obtaining parental consent);
- technical and organisational measures, including data protection by design and by default and security measures;
- breach notification;
- data transfers outside the EU; or
- dispute resolution procedures.
Maintaining records of processing activities
In addition to your obligation to provide comprehensive, clear and transparent privacy policies, if your organisation has more than 250 employees, you are required to maintain additional internal records of your processing activities.
If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing. This includes processing personal data that could result in a risk to the rights and freedoms of individuals and processing of special categories of data or criminal convictions and offences.
What do I need to record?
You must maintain records of all processing activities because you may be required to make these records available to the relevant supervisory authority for purposes of an investigation. You must record the following information:
- Name and details of your organisation and, where applicable, of other controllers, your EU representative and data protection officer.
- Purposes of the processing.
- Description of the categories of individuals and categories of personal data.
- Categories of recipients of personal data.
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
- Retention schedules.
- Description of technical and organisational security measures.