GDPR's accountability measures?

Brightdock

Accountability is one of the principles for personal data processing, as presented in Section Two of this course. It gives organisations a good opportunity to show, and prove that they respect people’s privacy. In order to demonstrate compliance with the GDPR, organisations need to follow these accountability measures:

Brightdock

  • Contracts between controllers and processors

  • Documentation of processing activities

  • Data protection by design and default

  • Data protection impact assessments (DPIA)

  • Data protection officer (DPO)

  • Codes of conduct and certification

  • Security

  • Personal data breaches

Brightdock

1.Contracts between controllers and processors

A written contract needs to be in place whenever a data controller uses a data processor to process personal data on their behalf. The same thing is expected when a data processor employs another data processor.

Why is the contract important?

A written contract is important to:

Brightdock

Help both the data controller and the data processor to demonstrate compliance

with the GDPR

Ensure that both parties understand their responsibilities, obligations and liabilities

Increase the data subjects' confidence and build their trust when it comes to processing their personal data

What should be included in a contract?

The following are included in a contract between a data controller and a data processor:

  1. The subject matter and duration of the processing
  2. The nature and purpose of the processing
  3. The type of personal data and categories of data subject
  4. The obligations and rights of the data controller
  5. The contractual obligations of the data processor

Brightdock

2.Documentation of processing activities

The GDPR has provisions for maintaining a record of processing activities, including processing purposes, data retention and data sharing.

Why is documentation important?

Brightdock

It's important for an organisation to document its processing activities as this is a legal requirement. It can also support good data governance and help the organisation in demonstrating compliance with other aspects of the GDPR.

What must be documented?

Brightdock

The name and contact details of the organisation

The purposes of personal data processing

Categories of individuals, as well as their personal data and intended recipients

Details of international transfers of personal data

Retention schedules

Technical and organisational security measures

Who's responsible?

Data controllers and data processors are both responsible as part of their documentation obligations. 

  1. For organisations with 250 or more employees, documentation of all processing activities is mandatory.
  2. For small to medium-sized organisations, documentation is necessary for processing activities that are not occasional, that could result in a risk to the rights and freedoms of individuals, and that involve the processing of special categories of data.

Brightdock

3.Data protection by design and default

Data protection by design and default is about adopting an organisation-wide approach to data protection. This accountability measure has two layers to it.

Brightdock

Data protection by design

The GDPR requires organisations to establish technical and organisational measures to implement data protection principles right from the start of the design phase of any system, service, product or process.

Data protection by default

By default, organisations are required to inform the data subjects before the start of processing, specify the data to be processed and only process the data needed to achieve a specific purpose.

Who's responsible?

Data controllers are mainly responsible for complying with data protection by design and default. If data is processed by another organisation on their behalf, they must ensure that processors can be able to meet the requirements of the GDPR.

Brightdock

Data protection impact assessments (DPIA)

A data protection impact assessment, or DPIA, is designed to identify and mitigate any data protection-related risks arising from a project, such as processing of personal data. It also considers both the likelihood and the severity of the impact of risks on individuals.

Brightdock

When is it needed?

A DPIA is needed on the following circumstances:

  1. Systematic and extensive profiling
  2. Large-scale processing of special category or criminal offence data
  3. Large-scale systematic monitoring of publicly accessible places

 

4.Data protection impact assessments (DPIA)

A data protection impact assessment, or DPIA, is designed to identify and mitigate any data protection-related risks arising from a project, such as processing of personal data. It also considers both the likelihood and the severity of the impact of risks on individuals.

Brightdock

When is it needed?

A DPIA is needed on the following circumstances:

  1. Systematic and extensive profiling
  2. Large-scale processing of special category or criminal offence data
  3. Large-scale systematic monitoring of publicly accessible places

 

5.Data protection officer (DPO)

Brightdock

A data protection officer (DPO) is a role required by the GDPR who is responsible for overseeing data protection strategy and implementation to ensure compliance with the GDPR requirements. Data controllers and data processors must appoint a DPO if they are involved in large scale processing of personal and special category data.

Brightdock

What are the characteristics of a DPO?

A DPO can be an existing employee or externally appointed who possesses these characteristics:

  1. Independent
  2. A data protection expert
  3. Adequately resourced

Brightdock

What are the responsibilities of a DPO?

A DPO has the following responsibilities:

  1. Inform and give advice to the organisation and its employees who process data with regard to compliance with the GDPR and other applicable data protection provisions
  2. Monitor compliance with the GDPR and other data protection laws and policies
  3. Monitor and give advice on data protection impact assessment (DPIA) 
  4. Cooperate with the supervisory authority and serve as the main contact

Brightdock

6.Codes of conduct and certification

The GDPR recommends that organisations adhere to relevant codes of conduct and sign up to certification schemes. 

Codes of conduct, created by trade associations and sector representatives, can be used by an organisation to help in applying the GDPR effectively and demonstrating their compliance. It may cover topics, such as:

  1. Fair and transparent processing
  2. The pseudonymisation of personal data
  3. Data transfer outside of the EU
  4. Breach notification

Brightdock

Brightdock

Obtaining a certification is another way in which organisations will be able to demonstrate their compliance with the GDPR. Certifications are being promoted by member states, supervisory authorities (such as the ICO), the European Data Protection Board (EDPB) and the Commission for organisations to:

  1. Be more transparent and accountable
  2. Have a competitive advantage
  3. Create effective safeguards for mitigating data processing risks

Brightdock

7.Security

Implementing security measures is another GDPR requirement for personal data processing. Organisations have to look into performing information risk assessment and ensuring that the security measures in place are appropriate to prevent personal data from being accidentally or deliberately compromised.

Brightdock

What are the most common information security threats?

An organisation with poor information security puts personal data at risk, which may cause real harm to individuals. Examples of threats include:

  1. Exposure of personal data
  2. Identity theft
  3. Credit card fraud

Brightdock

8.Personal data breaches

The last accountability measure is recording and reporting personal data breaches.

 

A personal data breach may lead to a number of security threats, such as unauthorised access, accidental destruction, unlawful manipulation or alteration of personal data.

What must be done in cases of personal data breach?

Personal data breaches that may cause potential risk to people's rights and freedom must be reported to the ICO.

Brightdock

What must be included in the report?

The GDPR recommends that the following items are included in the personal data breach report:

  1. A description of the nature of the personal data breach, including the approximate number of affected individuals and personal data records
  2. The name and contact details of the data protection officer (DPO) or other personnel that has additional information about the breach
  3. A description of the likely consequences of the incident
  4. A description of the measures already taken, or proposed actions to be taken

GDPR's accountability measures?

By Aleksandar Savkovic WPAleks

GDPR's accountability measures?

  • 408