#1 – Introduction & accountability
Hello and welcome to the first post in our series about the GDPR’s requirements. The regulation has been in force for over four years, but we know it’s still hard for many companies and organisations to understand what it really means, and what it requires of us as controllers and processors.
With this GDPR requirement series, we intend to break down some of the most important requirements into meaningful and appropriate responses; understandable and actionable.
Me and my colleagues in DPOrganizer’s Professional Services team are creating this series to share some of our own experiences from helping customers of all shapes and sizes and hopefully provide some inspiration. So that you can build a more effective and sustainable privacy program.
Follow us for a new release every week, and don’t hesitate to reach out if you want to dig deeper and discuss how these requirements affect you and your privacy program.
To start off this series, I will write about the principle of accountability. It is an overarching principle that works its way into all other requirements. It simply states that the controller is the one responsible for, and is able to demonstrate compliance with, all the principles of the regulations.
In essence, the meaning is twofold: Firstly, the controller is responsible for the fulfilment of the regulations’ other requirements regarding their own processing activities. Secondly, they must be able to prove that they do so. In addition, the EDPB stated that: “to be able to process personal data responsibly, the controller should have both the knowledge of and the ability to implement data protection”.
Accountability can take different forms, but in most companies that would be in some form of a privacy program. To this end, the regulations state, that the controller should implement appropriate and effective measures. What’s to be considered “appropriate and effective” is of course circumstantial. Processing that carries more risks would need a more comprehensive and well-developed privacy program, while more occasional, low-risk processing requires much less from the privacy program. As with data protection in general, and I know this is a cliché, it isn’t a box-ticking exercise. Instead, it has to be a continuous approach of regularly assessing the effectiveness and appropriateness of the measures – both the ones in place and those that aren’t. You should document any conclusions you arrive at to facilitate demonstration of compliance.
So, basically, the principle of accountability demands that your organisation do appropriate things to embed the GDPR requirements in your day-to-day operations. If you just started building your privacy program and don’t have a clue of where to start or what’s most important, we often recommend or help you to carry out data discovery and data mapping exercises. Because, how do you know what’s appropriate if you don’t know what, why and how you process other people’s personal data? When you can answer these three questions and have identified and documented all data, then it’s time to talk about the implementation of accountability, governance, and compliance.
If you enjoyed this post, please join me in the next one in this series, where I will elaborate more on the requirement to identify personal data and the basics of how to do data discovery. If you loved it, we will see each other every Tuesday!