GDPR (21) Accountability under the GDPR
Now that we have essentially covered all of the GDPR, there are a few matters remaining that need to be considered at a more global level. One of these is the accountability of processors and controllers in particular. Everyone who processes personal data must comply with the requirements set out in the GDPR and must also be able to demonstrate and prove that the requirements have been complied with. If you are familiar with audits, you will know what this involves. After you have explained by what means you ensure compliance with specific obligations, you also need to demonstrate that you actually follow the relevant procedures and adequately monitor how they are performed by your employees. This is the subject of this instalment of our blog.
A great deal of administrative work is involved in demonstrating that you are familiar with, and understand, all aspects of the GDPR, and that your own organisation complies with the requirements. Implementation needs to be pragmatic yet comprehensive, especially at small companies, organisations and associations. You can find many tips on how to do this in previous instalments of this blog. Moving forward, you will need to keep your documentation up to date.
First of all, you need to make sure sufficient knowledge is available in your organisation. At organisations with a data protection officer (DPO), responsibility for this is entrusted to the DPO and his or her staff. Even if you do not have a DPO, you still need to be well-informed and provide training to your employees.
The records of personal data processing operations are central to demonstrating compliance. You are required to keep these records under the GDPR, but at the same time they form an ideal starting point for documenting how you ensure data protection. For every processing operation that is described, you need to show that you have thought about the processing operation’s purpose and legal basis, and that you have weighed up the risk of a data breach and have taken all appropriate security measures. Of course, you also need to develop a proper procedure to guarantee that this information remains complete. Every additional processing operation must be entered in the records. The DPO has an important role to play here. He or she provides assistance and monitors whether the procedure is performed precisely and promptly.
For important projects, this preliminary examination can be further formalised in the form of a data protection impact assessment (DPIA). This is a formal analysis of a processing operation that is aimed at identifying all potential risks of privacy infringements, listing all protective measures and determining whether the processing operation’s purpose and legal basis outweigh the remaining risks. If an intensive processing operation involves special categories of personal data, a DPIA has to be submitted to the data protection authority (DPA – in Belgium this is the Privacy Commission).
Of course, all measures taken in the area of security must be properly documented too. When a data protection audit is carried out, you are expected to be able to demonstrate immediately which procedures are applicable, when the most recent version dates back to, the employees to which each procedure is applicable, and whether these employees have been notified and know what to do. If any procedures include recurring checks, it is important to establish one way or another that these checks are actually performed. It is best to keep technical log files and monitoring reports for some time. If manual checks are carried out, you need to produce a short report or keep a log, for instance, so that you can show when these checks were performed and who performed them. In addition, the entire security system must be evaluated on a regular basis (at least once a year) and adjusted to reflect changes in the organisation, the tools and techniques used or the available security solutions.
In this context, you need to pay special attention to logging incidents and data breaches in particular. Every situation that is in conflict with the normal security procedures and every finding that exposes the existence of the risk of a data breach must be recorded accurately in an incident log. Obviously, the items entered in this log need to be investigated in further detail to determine their underlying cause. At the same time, action is planned with the aim of reducing the risk. Examples of action that may be taken include additional technical security measures, additional or modified procedures and checks, and new forms of reporting or logging. This needs to be documented so that you can demonstrate your accountability. While you do not necessarily require a complicated monitoring system for this purpose, at the very least you must have several well-organised logs containing information on all incidents (including their analysis and the agreed remedies) as well as all action items, their status and the individual to whom responsibility has been assigned.
Special attention needs to be paid to the contractual agreements with partners or suppliers. You need to conclude data processing agreements with subcontractors to ensure they also comply adequately with the legislation. It is a good idea to keep records of subcontractors that have been entrusted with your personal data processing operations, in which you specify precisely what each subcontractor has been instructed to do and how you have reached agreement about this. This can then be linked to a specific contract. Conversely, you also need to ensure that your own house is in order if you are a processor acting for a client. The processing operations need to be entered in your records, although as the processor you are not required to enter as many details as the controller. In this case, too, it is essential that all crucial agreements are included in a data processing agreement.
Finally, you must be able to demonstrate that you are able to guarantee the rights of data subjects effectively. There needs to be proper agreement on the procedure to be followed if a data subject asks questions. It is best to keep records of some kind of all the activities you perform in this context. If you keep records of every request received from an individual, noting the date and time it was received and all action subsequently taken, you will be able to monitor whether you have reacted in time and responded appropriately. It also means you will always be able to demonstrate that you comply with the legislation to the best of your ability if you are audited by the DPA or in the event of a complaint. Keeping a record of the line of reasoning that was followed is crucial, particularly if you are unwilling or unable to comply with the request.
Simply complying with the legislation is therefore not enough. You also have to document this and be able to prove it. Finally, it is crucial that anticipatory action is taken at the start of all future projects to minimise potential risks. This will be the subject of the next instalment of this blog.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.