The Principle of Accountability
Article 5(2) of the GDPR
Summary of the GDPR Principle
The Principle of Accountability
The Principle of Accountability means that the controller (the company) is responsible for ensuring that it complies with all the data protection principles when processing personal data. The seven data protection principles permeate the entire te General Data Protection Regulation, also known as the GDPR. They form the basis of all provisions within the GDPR.
The Principle of Accountability
The controller has an obligation to demonstrate that it complies with all the provisions and principles of the GDPR. In other words, data subjects or data protection authorities do not need to prove the opposite and show that the controller is in breach of the GDPR. Instead, it is the controller that needs to prove and demonstrate that it complies with the GDPR. This follows from the fundamental principle of accountability, which is a core element of the GDPR. Article 5(2) of the GDPR governs the principle of accountability.
Also note that the company must also comply with the other basic data protection principles, such as the Data Protection Principle of Data Minimization.
How to demonstrate compliance with the Principle of Accountability
A company can do a variety of things to demonstrate compliance with the GDPR and the principle of accountability. Keep in mind that the supervisory authority may request access to all or part of the company’s documentation, records of processing activities, etc. Therefore, it is important for a company to be prepared and have good order in its internal and practical GDPR work and associated documentation.
Below are some examples of actions companies can take to demonstrate compliance with the principle of accountability.
Demonstrate compliance with the principle of accountability
Provide information to data subjects
Companies that process personal data must inform the data subjects before processing. The information should be clear. For example, who the controller is, the purpose of the processing, how long the company needs to process the personal data and what risks the processing entails for the data subjects, etc.
Document all assessments, breaches, procedures etc.
Companies should document their processing operations, justifications for decisions and other information that can demonstrate that the company complies with the GDPR. For example, if a company believes that they have a legitimate interest, they need to make and document a balance of interests. In addition, companies need to carry out impact assessments for certain processing operations.
Implement internal procedures and guidelines
Companies should have internal data protection procedures and guidelines that employees should follow. For example, templates on how employees should answer questions about the processing of personal data from data subjects. Another example is internal procedures for how employees should be able to meet the rights that data subjects have under the GDPR. Or routines for how employees should delete personal data that the company no longer needs to process.
Educate the staff on GDPR and data protection
Staff may need training in GDPR in order for the organization to comply with the regulations. It is common for companies to send certain employees on training courses. In addition, some larger companies have several employees in, for example, different departments of the company who need knowledge about GDPR and are therefore allowed to attend training.
Document personal data breaches (Article 33(5) GDPR)
A personal data breach is a security incident that occurs, for example, when someone unauthorized gains access to personal data. In addition, it is a personal data breach if personal data is lost or unauthorized changed. In the event of a personal data breach, the company shall document the breach and try to minimise the consequences. This applies regardless of whether the incident needs to be reported to the supervisory authority or not.
Publish the privacy notice on the website (Article 12 GDPR)
It is common for companies to publish their privacy notice on the website. A privacy notice contains information and description of the personal data processing. For example, information purposes and legal basis for the processing. In addition, companies that have a data protection officer usually include their contact details in the privacy notice. Companies should not include the privacy notice in their terms and conditions, but should have them separately.
Consent box (Article 7 GDPR)
Companies that process personal data on the basis of the legal basis consent may collect consent in various ways. In some cases, this can be done through a check box on a form, a form or the like. It is important to note that the consent box must not be ticked. This is because it is not an actively given consent and thus it does not become valid.
Companies must be able to demonstrate that they have obtained a valid consent, if this is the legal basis for the processing of the personal data. In addition, it shall be easy for data subjects to withdraw the consent given. Otherwise, the consent is not valid either.
The company shall also document the consents obtained in order to be able to prove them, in accordance with the principle of accountability Keep in mind that there is certain information to be provided when obtaining consent.
Conduct data protection impact assessment (Article 35 GDPR)
Companies shall carry out a data protection impact assessment in certain cases. This applies if the processing is likely to result in a high risk to the rights and freedoms of natural persons. In such cases, the undertaking shall carry out and document the impact assessment before the start of the processing.
Keep a record of processing activities (Article 30 GDPR)
A further way to comply with the principle of accountability is to keep a record of processing activities. It shall contain information on all processing of personal data. Such as purpose, storage period, recipients of the personal data, etc. Article 30 of the GDPR contains information on what a record of processing activities must contain in order to meet the minimum requirements.
Other data protection principles
Principle of Lawfulness, Fairness, and Transparency
This basic data protection principle consists of three parts: lawfulness, fairness, and transparency. Lawfulness means that companies must have a legal basis for processing personal data. For example, consent or agreements with data subjects. Fairness means that the company shall not process personal data disproportionately in relation to the processing. Transparency means that companies must inform data subjects about the processing in a transparent manner. In other words, it should not be unclear for data subjects to understand, for example, the purpose of the processing.