Part 1 of the “GDPR Accountability” series
Having recently attended a two-day conference during which the General Data Protection Regulation (GDPR) was a frequent presentation topic, I have to admit to a developing sense of concern over discussion topics. And dismay for organizations casting around for answers to meet the GDPR’s requirements. So I want to take a closer look at the GDPR’s definition of accountability, and offer tips on how organizations can “get clean,” “stay clean,” and “show clean.”
One of the big differences between the current data protection acts and GDPR is the concept of accountability.
There are others, such as joint responsibility of data controller and data processor, but that is more of a binary 0/1 fact: now that you know about it, you have to comply. How do you comply? Take a look at accountability.
One of the earlier Information Commissioner’s Office “guidance to the GDPR” documents makes the point:
“The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example, documenting the decisions you take about processing activity.
“You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply.“
A recent Gartner publication considers the “Top 5 Priorities to Prepare for EU GDPR” to be:
- Determine your role under the GDPR
- Appoint a data protection officer
- Demonstrate accountability in all processing activities
- Check cross-border data flows
- Prepare for data subjects exercising their rights
So after 1) determining how GDPR affects you (for example, are you a data processor, a data controller, or both; do you have dealings with the EU or EU residents’ data?) and 2) determining if you need to appoint a data protection officer, the next most critical thing to do is 3) demonstrate accountability of processing activities.
The GDPR itself specifically talks about accountability in Article 5 paragraph 2, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
This paragraph refers to the six principles of GDPR, which for the sake of brevity, I’ll highlight only the phrasing at the end of each principle:
- Lawful, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Article 30 paragraph 3 requires that data controllers and processors record their duties and responsibilities in writing, including in electronic form.
The gist of the regulations
In other words, the supervising authority requires that, in order for you to avoid an audit and potential financial sanctions and/or reprimands, you are to be both responsible for and demonstrate how you comply with the six principles above. And you must record your duties as a data processor and/or controller in writing – including in electronic form, which would be the most cost-effective, repeatable, reportable, and reliably auditable way of doing that.
Rolling out some encryption, pseudonymization, or blocking and data-deletion technology, for example, is necessary and good. They’re obviously useful and in some cases essential. But on its own, this is not necessarily demonstrating accountability.
In other words, they don’t answer the bigger GDPR compliance question – showing how you comply with the principles, such as recording decisions about processing, recording the decisions, and mitigating actions put in place after a data protection impact assessment (DPIA) is carried out.
Something more is required both in approach and tooling.
The next blog in this series will explore possible approaches.