Accountability - the enabler to evidencing your compliance under the GDPR
Part 1: The background to accountability and the ICO's call for your input
If there is one word that underpins and overarches the General Data Protection Regulation 2016/679 ("GDPR") it is accountability. Its sole explicit reference at Article 5(2) and effective coverage at Article 24 (not including its other mention at recital 85) rather underplays how synonymous accountability is to GDPR compliance and its increasing importance in data protection per se. You did not need to attend this year's International Conference of Data Protection and Privacy Commissioners, now known as the Global Privacy Assembly, to see how accountability took centre stage and interwove itself through the conference.
The mention of accountability itself is not new to data protection though and its use entered the privacy discourse in 1980 in the Organisation for Economic Cooperation and Development’s privacy guidelines. Many will remember how in its Opinion on Accountability 3/2010, the Article 29 Working Party ("WP29") wrestled with how Member States would interpret this “Anglo Saxon” word and its concept. That concern has diminished in recent times as the mention of accountability in the GDPR has made it necessary for all EEA data protection authorities ("DPAs") and any controller, for whom the GDPR is applicable, to consider what it actually means for a controller to be able to demonstrate their compliance, i.e., their accountability. But let us acknowledge and be clear that demonstrating accountability is no mean feat!
It is widely documented how the GDPR elevated data protection to new heights and introduced what some refer to as a golden standard. Its multifaceted nature and numerous interlinking components mean that to be able to demonstrate your compliance is no overnight task. Rather it is an ongoing compliance programme that needs to be monitored, enhanced and amended as necessary, and in particular, in accordance to how your organisation’s processing changes and develops over time.
Nor is accountability a job for one person. As for who is responsible for accountability within an organisation, the short answer is everyone. Given the extensive nature and voluminous collection of data today, it is fundamental that responsibility for accountability is apportioned across an organisation and it needs proactive leadership from the highest level of management. The UK Information Commissioner's Office ("ICO") in its Information Rights Strategic Plan talks about "creating a culture of accountability" no less.
So what is actually involved in demonstrating accountability? Ultimately, you need to be able to show a regulator, customer or business partner evidence that you have met, and continue to meet, all of your obligations under the GDPR. Do you have one document in place that you can produce on request that encompasses and evidences all your data protection compliance? Accountability though is much more than a culmination of documents and operational practices. It is about being able to evidence that those policies and procedures are working in practice.
In Part 2 of this Blog on Accountability - the enabler to evidencing your compliance under the GDPR, we will provide some practical tips on what you can be doing to evidence your accountability.
To date, the only EU Data Protection Authorities ("DPAs") to have published guidance on accountability are Finland, France, the Netherlands and the UK. The ICO's pages on governance and accountability, in its guide to the GDPR, are quite comprehensive and cover some pivotal aspects of the GDPR including data protection policies; contracts; maintaining records (Article 30 records of processing activities); data protection by design and by default; data protection impact assessments; security measures; and data protection officers. Do note though that this is not an exhaustive list of accountability requirements.
In its Work Programme 2019-20, the European Data Protection Board ("EDPB") makes no suggestion that it will add to the WP29's Opinion on Accountability. However, certain guidelines under the GDPR that the EDPB has produced do feature specific commentary on accountability. In its Guidelines on personal data breach notification under Regulation 2016/679 (wp250rev.01) there is detailed guidance on accountability and record keeping of data breaches. Do you have a procedure as to how you recording your data breaches? The EDPB's guidelines on Data Protection Impact Assessments ("DPIAs") emphasises the importance of DPIAs to accountability. It is important to ensure that the procedures that you have in place take account of material changes in the data protection. Have you, for example, considered updating your DPIA procedure in light of the EDPB's opinions on the draft lists from your respective competent supervisory authority "regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR)"?
The ICO in its Regulatory Action Policy states, "our hierarchy and risk-based approach mean that it is more likely that a penalty will be imposed where, for example … there has been a failure to implement the accountability provisions of the GDPR". The ICO's momentum for instilling a culture of accountability is gathering pace. Regular readers of the Information Commissioner's public speeches will know in the majority, reference to accountability - the word, concept and / or its overarching nature, appears throughout. In keeping with that message, the ICO today has launched a survey encouraging feedback on its plans to produce an accountability toolkit that controllers can use to develop their own accountability framework.
The survey asks for comment on the proposed scope and structure of the ICO's toolkit and highlights what the ICO is expecting to see in a controller's accountability framework. It is important that all controllers turn their attention to the subject of accountability, whether they have a mature accountability programme in place or are yet to make a start work on accountability, and consider the expectations of this regulator.
Since the fanfare of the applicability of the GDPR on 25 May 2018 and the marking of the GDPR one year on, we are yet to see a flurry of regulatory action and some controllers have for now, arguably, turned their focus away from their data protection compliance obligations. Yet we know there are some potential big fines that will be imposed by the ICO and Ireland's Data Protection Commission in due course and no doubt other DPAs. Whilst those fines will invariably be for data breaches, in time it is inevitable that we will see enforcement action and fines for the lack of accountability provisions. As the GDPR matures, so too will a DPA's ability to fine across the spectrum of GDPR obligations. Ignoring accountability is extremely short sighted.
Aside from the risk of enforcement action and ability to mitigate that risk, businesses should also recognise the fundamental importance of preserving public trust and confidence in their brand and realise that demonstrating accountability is essential to achieving this. Even with the greatest GDPR readiness project, not implementing and continually reviewing your accountability is akin to having a house built of sand. Foolish. Do not delay on being able to demonstrate your accountability. The consequences are ultimately too great.
With many thanks to Fieldfisher trainee Olivia Rogers on drafting content for this blog.
Lorna Cropper and Hazel Grant recently took part in a webinar on accountability with Nymity's Paul Breitbarth - How do you demonstrate your compliance with the GDPR? You can listen to the webinar here.
Hazel Grant, will be chairing a panel on accountability at this year's IAPP Europe Data Protection Conference on Thursday 21 November at 12:15pm GDPR 2.0 #Accountability How are you evidencing yours?