The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.
In more detail…
What is the accountability principle?
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
How can I demonstrate that I comply?
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
You can also:
Records of processing activities (documentation)
As well as your obligation to provide comprehensive, clear and transparent privacy policies (see section on Individual rights), if your organisation has more than 250 employees, you must maintain additional internal records of your processing activities.
If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:
• processing personal data that could result in a risk to the rights and freedoms of individual; or
• processing of special categories of data or criminal convictions and offences.
What do I need to record?
You must maintain internal records of processing activities. You must record the following information. There are some similarities with ‘registrable particulars’ under the DPA which must be notified to the ICO.
- Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer).
- Purposes of the processing.
- Description of the categories of individuals and categories of personal data.
- Categories of recipients of personal data.
- Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
- Retention schedules.
- Description of technical and organisational security measures.
You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.
Further reading from the Article 29 Working Party
The Article 29 Working Party has published guidelines and FAQs on lead supervisory authorities. These are intended to assist in identifying which is the lead supervisory authority when a controller or processor is carrying out cross-border processing of personal data.
The Working Party is inviting comments on these documents up to 15 February 2017.
Data protection by design and by default
Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
Under the DPA, privacy by design has always been an implicit requirement of the principles - eg relevance and non-excessiveness - that the ICO has consistently championed. The ICO has published guidance in this area.
Data protection impact assessments
What is a data protection impact assessment?
Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
While not a legal requirement under the DPA, the ICO has promoted the use of DPIAs as an integral part of taking a privacy by design approach. See the ICO’s Conducting privacy impact assessments code of practice for good practice advice.
When do I need to conduct a DPIA?
You must carry out a DPIA when:
- using new technologies; and
- the processing is likely to result in a high risk to the rights and freedoms of individuals.
Processing that is likely to result in a high risk includes (but is not limited to):
- systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
- large scale processing of special categories of data or personal data relation to criminal convictions or offences.
This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity.
- large scale, systematic monitoring of public areas (CCTV).
What information should the DPIA contain?
- A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller.
- An assessment of the necessity and proportionality of the processing in relation to the purpose.
- An assessment of the risks to individuals.
- The measures in place to address risk, including security and to demonstrate that you comply.
- A DPIA can address more than one project.
The Article 29 Working Party has already begun work on guidelines on high risk processing and DPIAs. The guidelines will be published in 2017 according to its workplan.
When does a Data Protection Officer need to be appointed under the GDPR?
Under the GDPR, you must appoint a data protection officer (DPO) if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
What are the tasks of the DPO?
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
What does the GDPR say about employer duties?
You must ensure that:
- The DPO reports to the highest management level of your organisation – ie board level.
- The DPO operates independently and is not dismissed or penalised for performing their task.
- Adequate resources are provided to enable DPOs to
meet their GDPR obligations.
Can we allocate the role of DPO to an existing employee?
Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.
You can also contract out the role of DPO externally.
Does the data protection officer need specific qualifications?
The GDPR does not specify the precise credentials a data protection officer is expected to have.
It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
Further reading from the Article 29 Working Party
Further reading from the ICO
We are currently considering whether the ICO can provide any further detail over and above the Article 29 Working Party guidelines. We will add any additional advice we are able to provide here in due course.
Codes of conduct and certification mechanisms
The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.
The specific needs of micro, small and medium sized enterprises must be taken into account.
Signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.
Adhering to codes of conduct and certification schemes brings a number of benefits over and above demonstrating that you comply. It can:
- improve transparency and accountability - enabling individuals to distinguish the organisations that meet the requirements of the law and they can trust with their personal data.
- provide mitigation against enforcement action; and
- improve standards by establishing best practice.
When contracting work to third parties, including processors, you may wish to consider whether they have signed up to codes of conduct or certification mechanisms.
Who is responsible for drawing up codes of conduct?
Governments and regulators can encourage the drawing up of codes of conduct.
Codes of conduct may be created by trade associations or representative bodies.
Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99).
Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).
Existing codes can be amended or extended to comply with the requirements under the GDPR.
What will codes of conduct address?
Codes of conduct should help you comply with the law, and may cover topics such as:
- fair and transparent processing;
- legitimate interests pursued by controllers in specific contexts;
- the collection of personal data;
- the pseudonymisation of personal data;
- the information provided to individuals and the exercise of individuals’ rights;
- the information provided to and the protection of children (including mechanisms for obtaining parental consent);
- technical and organisational measures, including data protection by design and by default and security measures;
- breach notification;
- data transfers outside the EU; or
- dispute resolution procedures.
If you sign up to a code of conduct, you will be subject to mandatory monitoring by a body accredited by the supervisory authority.
If you infringe the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed. You also risk being subject to a fine of up to 10 million Euros or 2 per cent of your global turnover.
Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.
Who is responsible for certification mechanisms?
Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation.
Certification will be issued by supervisory authorities or accredited certification bodies.
What is the purpose of a certification mechanism?
A certification mechanism is a way of you demonstrating that you comply, in particular, showing that you are implementing technical and organisational measures.
A certification mechanism may also be established to demonstrate the existence of appropriate safeguards related to the adequacy of data transfers.
They are intended to allow individuals to quickly assess the level of data protection of a particular product or service.
Certification does not reduce your data protection responsibilities.
You must provide all the necessary information and access to your processing activities to the certification body to enable it to conduct the certification procedure.
Any certification will be valid for a maximum of three years. It can be withdrawn if you no longer meet the requirements of the certification, and the supervisory authority will be notified.
If you fail to adhere to the standards of the certification scheme, you risk being subject to an administrative fine of up to 10 million Euros or 2 per cent of your global turnover.
Next steps for the Article 29 Working Party
According to its workplan, the Article 29 Working Party will produce guidelines on certification in 2017. It also intends to publish guidelines, which are already under development, on imposing administrative fines.