Following our previous publications regarding the GDPR, we will now review one of the entirely new concepts in data protection introduced by the Regulation, namely accountability.
Accountability in practice means that the data controller is able to demonstrate at any time that personal data are processed lawfully, fairly, in a transparent manner and limited to clearly defined purposes, keeping the data accurate and up to date and retaining it only for the time required to achieve these purposes, while ensuring an appropriate level of security and protection of the personal data.
Accountability implies proper documentation of all the processes of processing personal data within the undertaking. In other words, undertakings should keep documentary track of the processing – relevant written records allowing for traceability of the data processing processes and serving as an element by which to demonstrate compliance with the GDPR requirements in the event of a CPDP inspection.
Among others, some of the most essential tools for achieving accountability are the following:
• maintaining records of the processing activities under Art. 30 GDPR;
• proper regulation of the relations with data subjects with regard to data processing (through personal data protection policies, privacy notices, etc.);
• proper regulation of relations with third parties regarding the transfer of data (contracts between controllers and contracts between controllers and processors);
• designation of a data protection officer, where applicable;
• conducting an impact assessment in the presence of a high risk to the rights and freedoms of the data subjects;
• timely communication to the Commission for Personal Data Protection and the data subject in cases of personal data breaches;
• implementing voluntary certification mechanisms and/or compliance with codes of conduct;
• аdopting internal rules for personal data protection (guidelines, policies, etc.).
Of the above listed tools, particular attention should be given to record-keeping of the processing activities. These records shall be maintained by the personal data controller and the processor and shall be made available to the supervisory authority upon its request. The content of the records is laid down in detailed in the GDPR (Article 30, paragraphs 1 and 2).
The obligation of record keeping does not apply to organisations with fewer than 250 employees unless (i) the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (ii) includes special categories of personal data or personal data relating to criminal convictions and offences. Regardless of which of these exceptions is present, the organisation concerned shall keep records of the relevant processing activity.
The impact assessment is also important for adherence to the principle of accountability. The Working Party established by Art. 29 accepts that the data protection impact assessment is a key tool for achieving accountability as it not only contributes to compliance with the requirements but also demonstrates the existence of appropriate safeguards.
The Working Party established by Article 29 – an European Union data protection advisory body – in one of its opinions on the old data protection regime points out some of the categories of general accountability measures other than the ones listed above, the most important of which are:
• identifying all data processing processes within the organisation;
• ensuring adequate level of data protection, training the staff members processing or responsible for personal data (such as heads of human resource departments), but also IT managers, developers and business units directors, as well as allocating sufficient resources for protection of personal data within the organisation;
• establishing an internal mechanism for handling complaints;
• developing internal procedures for the effective management and reporting of data protection breaches;
• implementing and monitoring verification procedures to ensure that all the measures are not only formal ones, but they are actually introduced and implemented (internal or external audits, etc.).
What is the practical need for the principle of accountability and why should an organization make efforts to comply with it?
Personal data are a specific type of “resource” for any organisation. They constitute a powerful business tool as they provide information about the choices, preferences, attitudes and needs of consumers. This opens up great prospects for better marketing, PR, etc. Besides being a resource, personal data are a special category of information that may affect the privacy of the persons they relate to, or allow for malpractices (manipulations, etc. – an example of this is the scandal with Cambridge Analytica and data from the social network Facebook). Therefore, organisations should ensure adequate level of protection for this type of data. This is increasingly important in the context of the new rules and high sanctions introduced by the GDPR.
The purpose of the accountability principle is to gradually develop a culture of proper documentation of the entire movement of any personal data within the organisation. This would allow companies to have greater control and will enable them to more adequately manage their resources, and in a case of an inspection – to demonstrate compliance with the GDPR requirements.
 Opinion 3/2010 on the principle of accountability, WP 173, Adopted on 13 July 2010, p. 11-12.