DP2017: Accountability â The âforgottenâ principle

Duncan Smith, Director at iCompli, takes another of the DP2017 breakout sessions, focusing on accountability – a key principle of GDPR, but one that only appears in the Regulation once…

“Under GDPR the ability to say ‘Actually, we did all the things we should have done’ is incredibly important, but to do that is actually really difficult.”

Despite this singular appearance in the text, Accountability is not new to anyone that’s familiar with the ‘original’ OECD Guidance on the Protection of Privacy and Transborder Data flows (1980), or its 2013 update (In which there are 39 references to ‘accountability’).

“The OECD Guidance is the foundation of modern law and is still applicable to the latest updates in GDPR. These origins also have accountability at their very core.”

The OECD Guidance contains 7 principles, including: Collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and accountability. This accountability principle calls on someone within any organisation to make sure they are being accountable and compliant with the law.

“When it comes to implementing accountability, there is no silver bullet. It’s important you find a solution that is structured to fit your business. For example, if you don’t handle much sensitive data, you probably don’t need a huge amount of additional data security resource included.”

“People within your organisation need to also understand where the potential risks are coming from, in order to plan and mitigate them.”

This will enable organisations to better manage the rights of the individual and the businesses’ responsibilities to those individuals they hold personal data on. Under GDPR, data controllers are responsible for complying with the six principles…

“Wrong! Accountability is the unnumbered seventh principle and it’s the ability to demonstrate this compliance that is key. Every business must be able to answer how they are going to prove and track not just one, but all of the other six principles.”

This involves everything from data audits, collection of consent and any decisions on legitimate interests.

“No matter what legal base you’re using. Prove it!”

Accountability should drive your organisation to put into place comprehensive, but proportionate, governance measures. As well as, a legal requirement for privacy impact assessments and privacy by design in certain circumstances. To adhere with codes of practice and, most importantly, to document all of these activities.

“Mistakes do happen. But when they do it’s accountability that can be the thing that gets you out of jail.”

Smith then signed off with a quote from author Thomas Paine: “A body of men holding themselves accountable to nobody ought not to be trusted by anybody.”