Accountability - the enabler to evidencing your compliance under the GDPR
Part 2: Some practical tips about what you ought to be considering and doing
Welcome to our second part of this blog on Accountability - the enabler to evidencing your compliance under the GDPR. Given accountability's extensive nature across the GDPR, it can be difficult to know quite where to start with evidencing your compliance. As mentioned in Part 1, it is practical to have one document or framework, which acts as a hub to document and record in one place, all your different components of data protection compliance. It is important to remember that accountability is not necessarily about the paperwork itself but the ability to evidence that the practical steps you have taken can demonstrate that your policies and procedures are working in practice to support your compliance.
Without doubt, it was a demanding time to get ready for the applicability of the GDPR on 25 May 2018. Post 25 May it is understandable that business as usual has taken up a considerable amount of time, perhaps leaving little time to consider how those policies and new procedures have been working in practice for the last 17 months! Have you reviewed those policies since there were externally published or internally implemented? Accountability requires proactive monitoring of your policies and procedures to ensure that they are effective, up to date and fit for purpose besides making amendments where necessary.
Let us consider your data protection training policy. How is this working in practice? You may want to cross-reference your answer here to your record of non-notifiable data breaches (see below). If there are a number of non-notifiable data breaches, for example, due to human error, you certainly need to examine the content of the training on offer. Do your data protection champions receive the appropriate support and have visibility across your organisation? Are you still receiving high volumes of data subject access requests ("DSARs")? If so, can you identify any reasons or patterns as to why this continues? Is there perhaps a requirement for employees handling personal data to receive additional training to reduce complaints that may generate a DSAR? Has there been a general refresher training given to all employees? Data protection awareness amongst employees is a key component to mitigating risk.
Keeping with the theme of training and knowledge, who within your organisation is monitoring the fines given under the GDPR and crucially why? When regulatory fines are given, it is necessary that you consider whether any change in your practices are required. For example, how did you react to the Danish regulator's fine of Taxa 4x35 for a controller not adhering to their data retention schedule? Are you certain that the data you are retaining at any one time is in line with the timeframe stated in your data retention schedule?
Data Protection Authorities ("DPAs") have emphatically stated that they do not wish to receive notifications for all data breaches. However, in accordance with the European Data Protection Board's ("EDPB") guidelines on personal data breach notification it is an obligation under Article 24 for a controller to keep a record of all data breach incidents, notifiable and non-notifiable. What is interesting is that there is no one way in which to demonstrate accountability. The EDPB's guidelines suggest that a record for a non-notifiable data breach can be added to a controller's Article 30 records of processing, provided that the data can be easily identified and extracted, should a DPA request to see a record of all non-notifiable data breaches. Depending on your systems and the extensiveness of your Article 30 records, it may well be more straightforward to have a separate template for all data breaches, distinguishing between the notified and the non-notified. These EDPB guidelines provide the detail about what to record including the reasons for a particular decision taken in response to a breach.
Your data breach recording may even mitigate your position if you later experience a data breach that you do need to report. For example, if you have improved your systems due to previous experiences, developed training for employees, amended your incident response handling policy and implemented lessons learnt from a penetration test, undertaken because of a number of recorded non-notifiable data incidents, you can demonstrate to a regulator that you proactively and continually look to improve your security measures. This continual improvement of security measures will provide some strong arguments in mitigation.
What begins to transpire, as you examine accountability more closely, if it has not already, is that data protection under the GDPR is never a completed exercise. Rather it demands periodic review and questions asked to determine whether an organisation's practices are working and if not, attention be given to what improvements are required.
Many organisations appointed a Data Protection Office ("DPO") under the GDPR. Yet, this does not however mean, "job done" with respect to your compliance. It is merely a start. Fundamental to any DPO role is a DPO's complete integration into the business and the support and ear of the highest level of management. Equally, if you considered appointing a DPO under the GDPR and ultimately did not think it necessary, is this decision making process documented? Do you also have a procedure in place to consider what changes in your processing may trigger the need to review that decision to appoint a DPO?
To achieve "data protection by design and by default", another proponent of accountability, a cultural shift may be required to ensure data protection is considered at the outset of every new project and for the duration of its life. The provision of effective training for staff, which ensures the outcome that employees, in particular those designing new tools and projects, are continuously thinking about data protection by default and by design, is key. Does your training identify areas where a candidate is not demonstrating a strong understanding of certain aspects of data protection despite a need for it in their particular job role? Bespoke training for those needing to implement data protection by design and by default may be relevant. In addition, to stress the importance of data protection by design and by default, you could consider providing a "data protection health warning" to perpetuate this concept through an employee's day-to-day work. Throughout the life cycle of the product, alerts could be in place to ensure consideration of data protection is at the fore. It is the thought and operation of such extra steps that go towards demonstrating accountability.
You now have some pointers as to what you can be considering to evidence your accountability, what some term "GDPR phase two". The above touches on a number of facets but is not an exhausted list of operational processes you need to be reviewing. What about your chosen lawful basis? Do your systems ensure that new contracts include the minimum data protection provisions? As highlighted above and discussed in our recent webinar on this subject, there is no set way to evidence your accountability. However, there are certain common denominators that need to be demonstrated and in embracing accountability's proactive approach, there is no time like the present to (re)examine your organisation's position on accountability.