You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are legally required in certain circumstances that pose a risk to the rights and freedoms of individuals.

Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many will already have good governance measures in place.

What is the accountability principle?

Part 3, Chapter 2 of the Act requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility as data controller.

How can we demonstrate that we comply?

You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

In addition, you must:

  • maintain relevant documentation on your processing activities;
  • where appropriate, appoint a data protection officer; and
  • implement measures that meet the principles of data protection by design and data protection by default.

Such measures could include: 

  • data minimisation;
  • pseudonymisation;
  • transparency, where appropriate;
  • creating and improving security features on an ongoing basis; or
  • data protection impact assessments where appropriate.