Getting to know the General Data Protection Regulation, Part 7 - Accountability Principles = More Paperwork
Ever since the European Commission’s proposal for the GDPR back in January 2012, ‘Accountability’ has formed the backbone of the draft Regulation through its legislative journey.
However let's be clear - the principle of Accountability (which essentially refers to the various obligations organisations will have to follow in order to demonstrate data protection compliance) is not a new concept in data protection (see for example the most recent version of the OECD Guidelines on the Protection of Privacy and Transborder Data flows). However, it has never played such a significant role in an EU regulatory framework, until now.
Whilst analysis of the ‘Accountability Principles’ has rightly focused on the challenges that they present to organisations, the principles also represent an opportunity for organisations to create trust in their data processing operations; with both consumers and Data Protection Authorities.
What does the law require today?
Whist the current EU Data Protection Directive (the “Directive”) does not explicitly recognise the concept of ‘Accountability’, it imposes certain obligations on organisations that fall under this concept. Examples include:
- the requirement to provide individuals with specific information about intended processing activities upon collection of personal data (via an appropriate ‘processing notice’);
- the requirement for organisations to register (‘notify’) national Data Protection Authorities (DPAs) of the intended processing activities; and
- the requirement for organisations to put in place appropriate technical and organisational measures to ensure the privacy and security of the personal data that they are processing .
The Accountability principle has been the subject of discussions of many regulators, not just in Europe (where, for example, the CNIL issued its own Accountability standard in January 2015) but also globally. In 2015, the Colombian Data Protection Authority issued its own Accountability guidelines, following similar releases by jurisdictions such as Canada, Hong Kong and Australia. These guidelines aim to align themselves with the Organisation for Economic Cooperation and Development (OECD’s) approach on Accountability. In short, comprehensive governance programs are becoming increasingly common – and obligatory.
What will the General Data Protection Regulation Require?
The Accountability principle runs through the core of the GDPR. Article 24 requires that organisations implement ‘appropriate technical and organisational measures’ to be able to ‘demonstrate’ their compliance with the Regulation, which shall also include ‘the implementation of appropriate data protection policies’. Therefore, in preparing for the Regulation, organisations will have to implement not only internal and publicly-facing policies, records and notices, but also technical measures, and fundamental personnel and strategic changes to their processing operations. Measures shall include:
Businesses will need to put in place comprehensive (and clearly drafted) privacy policies and notices for individuals, setting out full details of the processing of their personal data, including the legal basis of the processing, the safeguards in place for international transfers and data retention periods. Additional documentation which addresses the comprehensive rights now available to individuals under the Regulation will have to be put in place, e.g. an appropriate subject access policy which addresses the expanded information-requirements under the Regulation.
Similar ‘internal’ documentation setting out full details of the various processing activities an organisation undertakes will need to be kept by all organisations employing more than 250 persons (and in some limited cases by organisations employing less than 250 persons). Hence, although the obligation to register with a Data Processing Authority has been removed under the new Regulation, many organisations will still have to retain comprehensive records internally, which are to be made available to DPAs, where required.
As explained by my colleague, Sabba Mahmood here the Regulation also expressly recognises the concepts of ‘privacy by design’ and ‘privacy by default’, which means that organisations will be under a specific obligation to consider data privacy issues throughout the entire lifecycle of all projects and systems. A practical consequence of this obligation is that organisations will also have to consider Data Protection Impact Assessments (which are themselves a requirement under the Regulation for high risk processing activities).
The Regulation contains specific requirements for organisations to ensure the security of data, such as pseudonymisation and encryption practices, the ability to ensure the ongoing resilience and integrity of systems, including the ability to quickly restore the availability of systems in the event of a physical or technical incident, and procedures to ensure the ongoing testing of such systems to protect against such incidents. In general, organisations that suffer a data breach will have to notify those breaches to a national Data Protection Authority within 72 hours of becoming aware of the breach and, where the breach poses a high risk to the rights and freedoms of individuals, to the affected individuals ‘without undue delay’. In order to demonstrate compliance with the breach notification obligations, organisations will need to document full details of the breach, its consequences and the measures being implemented to remedy the breach.
Of course, central to the Accountability principle is the requirement for certain organisations to appoint a Data Protection Officer (DPO). The next article in our blog series will discuss the circumstances in which this requirement applies. Once appointed, the DPO will be the focal-point of privacy compliance for the relevant organisation, not only performing a compliance role, but also an advisory role to the business and acting as contact point for employees, customers and national DPAs. Organisations must afford DPOs full access to all resources, including training resources, to help maintain their ‘expert knowledge’ and must facilitate direct reporting by the DPO ‘to the highest management level’ of the business.
What are the practical implications?
The Accountability Principles will represent a cultural shift in the ways that organisations, consumers and DPAs will approach data protection compliance. We can expect national DPAs to begin providing us with guidance on a suggested approach to this area. That being said, now is the time for organisations to consider their current approach to compliance, review the GDPR text and begin to fill in the gaps, having regard to the obligations that the GDPR will create. Actions should include:
- A full review of internal and public-facing policies and procedures;
- Buy-in and support from senior figures in your organisation – to effect the operational (and cultural) changes required to address the Accountability principles;
- An analysis of all internal and external parties involved in your processing operations. This will go further than your IT, Marketing and HR Departments; and must include any of your third party service providers – who will also be caught by many of the afore-mentioned obligations; and
- A gap analysis, based on the Accountability requirements to identify any shortfalls and an implementation plan to address such gaps.