GDPR Jargon Buster: Accountability

Accountability is one of the seven principles of the UK GDPR, requiring an organisation to be responsible for, and be able to demonstrate compliance with data protection legislation.

Accountability is an express overarching principle of the UK GDPR. In relation to personal data, it requires an organisation to comply both with its obligations under the UK GDPR, and to demonstrate that compliance. Accountability is generally achieved through a range of data privacy measures, tailored to an organisation’s data processing operations and its associated risks to the individuals whose personal data is being processed. This will be relevant across all of the business functions, including suppliers, customers, human resources, marketing, finance and information security.

Accountability measures could include:

• Undertaking a data mapping exercise
• Appointing a data protection officer
• Creating and maintaining a record of processing activities
• Creating data protection policies and procedures
• Creating a data retention policy
• Recording data protection impact assessments and legitimate interest assessments
• Implementing a data breach response regime
• Undertaking appropriate security measures to protect personal data
• Conducting training on data protection

The Information Commissioner’s Office (ICO), the UK regulator, recognises the difficulties for organisations in knowing where to start when implementing an accountability framework, and has developed a Privacy Management Framework, for use as an optional tool for organisations to adapt for their own data processing activities.

Whilst a comprehensive privacy program may sound burdensome, it not only offers an organisation the opportunity to demonstrate compliance, but also to enhance a company’s brand and public trust, reduce the risk of a data breach and increase the value and quality of data.

Alongside tangible evidence of compliance, an organisation is expected to foster a “culture of accountability”. The ICO expects cross-organisational engagement with data protection, and for accountability to form part of its cultural fabric.

For more information or advice on data protection compliance, please contact Beverley Flynn or any member of the commercial and technology team.