Chapter 11 - Accountability Requirements Flashcards
What is accountability in the GDPR?
-Means the different obligations with which an organisation must comply to show and evidence their compliance with the data protection framework.
-It was first outlined in the 1980 OECD Guidelines and featured in the original Data Protection Directive.
What does Article 5 cover?
-Article 5(1) lists six principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality.
-Article 5(2) requires data controllers to demonstrate compliance with these principles.
What does Article 24 cover?
-Article 24(1) requires data controllers to implement appropriate technical and organisational measures to ensure and demonstrate compliance with the GDPR, considering the nature, scope, context, and purposes of processing and the risks to individuals’ rights and freedoms.
-Article 24(2) requires the implementation of appropriate data protection policies.
What should be included in internal data protection policies?
-Scope, policy statement, employee responsibilities, management responsibilities, reporting incidents, and policy compliance.
How should responsibilities be allocated in an organisation?
-Create a privacy management team or council with representatives from business function areas or key stakeholders.
-Alternatively, appoint an individual with primary responsibility for the data protection framework.
What should be included in training programs?
-Address legal data protection obligations and policy requirements, related policies, and tailor programs to business operations and employee roles.
-Document and monitor rollout and completion rates.
What does Article 25 cover?
-Data protection by design and by default
-Requires data controllers to implement technical and organisational measures to protect individuals’ rights and freedoms, including minimising data processing, pseudonymisation, and applying security standards
What does Article 30 cover?
-Outlines the records that must be kept by data controllers and processors, including names and contact details, purposes of processing, categories of data subjects and personal data, recipients, transfers to third countries, retention periods, and security measures.
What does Article 31 cover?
-Requires companies to cooperate with DPAs in the performance of their tasks.
What does Article 35 cover in relation to DPIAs?
-Requires DPIAs for processing activities likely to result in high risks to individuals’ rights and freedoms.
-DPIAs must include a description of processing operations, assessment of necessity and proportionality, risk assessment, and measures to address risks.
What does Article 37 cover in relation to DPO?
-Requires the appointment of a DPO for public authorities, regular and systematic monitoring of individuals on a large scale, and processing special categories of personal data on a large scale.
What is the role of the DPO?
-Inform and advise the company and employees, monitor compliance, provide advice on DPIAs, cooperate with supervisory authorities, and act as the point of contact for supervisory authorities.
What are Binding Corporate Rules (BCRs)?
-Privacy framework implemented by companies to facilitate cross-border transfers of personal data, ensuring compliance with high data protection standards.
-They require approval and monitoring by the lead DPA.
How can companies achieve and demonstrate accountability?
-Develop appropriate privacy policies, embed good privacy standards and practices within corporate operations and culture, ensure privacy and protection of personal data during development phases, and build a clear picture of data processing activities.
What is the significance of the CNIL’s (French DPA) Standard?
-Outlines specific requirements for privacy governance procedures, including internal and external privacy policies, the appointment and status of a DPO, data protection audits, and handling data subject access requests and data breaches.
-Companies that comply can obtain a “privacy seal.”
What are the examples of high-risk processing in Recital 75?
Processing that gives rise to:
-discrimination
-Identity theft
-fraud
-financial loss
-damage to reputation
-loss of confidentiality
-unauthorized reversal of pseudonymisation
-significant economic social disadvantage
-deprivation of rights and freedoms
-processing special categories of personal data, children’s data, or data related to criminal convictions.
What are the three key areas to consider for achieving compliance with the accountability requirement in GDPR?
(1) internal policies
(2) internal allocation of responsibilities
(3) training.
Why has accountability become relevant in today’s data protection environment?
-Over the last twenty years, there has been much discussion about how organizations can better embed data protection within their businesses and operations. Formally calling out accountability in the GDPR supports this outcome.
-Regulators and legislators seek an approach that goes beyond a ‘tick-box’ exercise, looking for companies to show they have developed and embedded a culture of data protection within their corporate DNA.
What should be included in the policy statement of an internal data protection policy?
-Should set out the company’s commitment to personal data processing, describe the purposes for collecting and processing personal data, and reiterate the principles for processing personal data as stated in Article 5(1).
What should be included in the scope of an internal data protection policy?
-Include a brief statement explaining to whom the internal policy applies
- the type of processing activities it covers.
What should be included in the employee responsibilities section of an internal data protection policy?
-Should describe employee roles in relation to personal data collection
-specify limitations on the use of collected personal data
-outline steps for maintaining data accuracy
-detail security obligations
-provide guidelines for transferring and destroying personal data.
What should be included in the reporting incidents section of an internal data protection policy?
-Require employees to report incidents involving:
(1) loss
(2) theft
(3) unauthorized disclosure
(4) inappropriate use of personal data
(5) clarify steps to be taken when notified by third-party service providers, and reference incident response plans.
What should be included in the management responsibilities section of an internal data protection policy?
Specify senior management roles responsible for:
-Assessing business risks
-Developing procedures and controls
-Allocating responsibility for data protection.
What should be included in the policy compliance section of an internal data protection policy?
-Clarify that noncompliance may result in civil and criminal penalties, damage to the company’s reputation, and disciplinary action.
