Chapter 2H: Accountability Requirements Flashcards
How can ‘accountability’ be defined?
Best described as the different obligations with which an organisation must comply in order to show and evidence their compliance with the data protection framework.
Where was the concept of accountability first outlined?
In 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
N.B. it was also featured in the Data Protection Directive (not explicitly, but the issues that support the principle were addressed, e.g. the requirement for orgs to register with national DPAs)
What do regulators expect of companies in relation to ‘accountability’?
Companies should be able to show that they have developed and embedded a culture of data protection within their corporate DNA.
In what article of the GDPR is accountability first introduced?
Article 5.
Article 5(2) specifically provides that not only is the data controller responsible for complying with the six principles set out in Article 5(1), but that it must also…
Be able to demonstrate compliance with the 6 principles.
Article 24(1) codifies the accountability obligation and requires data controllers to…
‘Implement appropriate technical and organisational measures to ensure that data processing is performed in accordance with the regulation and review and update those measures where necessary’ - those measures should take into account the nature, scope, context and purposes of the processes and the risks to the rights and freedoms of individuals.
If the relevant processing results in a higher risk to the rights of the individual, they need to adopt greater measures to protect against the risk.
Recital 75 provides some examples of high risk processing - including processing which gives rise to……
Discrimination
Identity theft, fraud or financial loss
Reputational damage
Loss of confidentiality of personal data protected by professional secrecy
Unauthorised reversal of pseudonymisation
Any significant economic or social disadvantage
Processing which deprives individual of rights and freedoms of prevents them from exercising control over their personal data
Processing special categories of personal data, the personal data of children or the personal data related to criminal convictions.
Article 24(2) introduces the requirement that the data controller should implement…
Appropriate data protection policies - but just implementing policies is unlikely to be enough, and controllers should consider internal policies, internal allocation of responsibilities and training to achieve compliance.
What should an internal policy re: data protection do?
Outline the basic contours of the measures to take in the processing and handling of personal data.
What should an internal policy re: data protection cover in scope?
The policy should include a brief statement that explains to whom the internal policy applies and the type of processing activities it covers.
What should the policy statement in an internal data protection policy cover?
The company’s commitment to or position that concerns personal data processed.
A description of the purposes for which it collects and processes personal data and a specification of the types of legitimate businesses purposes for this.
Reiterate the principles of processing personal data (Article 5(1)) as the applicable fundamental principles should be addressed within the internal policy.
What employee responsibilities should an internal data protection policy put in place?
The different areas for which employees are directly responsible when processing personal data, including the limitations around the use of the collected personal data and the steps that must be followed in order to ensure that the personal data is maintained accurately.
In addition:
Security obligations
Any steps that should be taken before transferring any personal data
Responsibilities re: destruction or deletion of personal data
What does an information security policy typically address?
Detailed technical standards that apply to the physical and digital security of all data held.
Some companies base these policies on industry standards, such as ISO 27001/2
What should an internal data protection policy put in place re: management responsibilities?
- A clear list of senior management roles across the business that are responsible for assessing business risk arising as a result of personal data
- A clear list of who those senior managers must work with to develop procedures and controls and identify and address risks appropriately (e.g. an internal DPO)
- Clearly outline responsibilities for everything from determining risk-based technical, physical and administrative safeguards to establishing procedures and requirements for transferring personal data to countries other than the collection country, etc.
What should an internal data protection policy outline re: reporting incidents?
Employees should be expressly required to immediately report all incidents that involve suspected or actual loss, thef, unauthorised disclosure or inappropriate use of personal data (clearly identify to which business areas a report should be made). Timescales should be made clear.
Should also be a clear path for those raised by a third party processor to an employee.
Incident response teams should be calledo ut in the policy.
What should an internal data protection policy outline re: compliance?
Non-compliance or failure to comply with applicable data protection laws could mean that an employee may subject the company and the individuals involves to civil and criminal penalties - which could severely damage the company’s reputation. Therefore failure to comply with the policy may result in disciplinary action.
What approach should an organisation take to the internal allocation of responsibilities?
The data controller must be able to demonstrate and provide information to DPAs about their various data protection management resources and also take primary responsibility for the internal data protection framework to ensure internal compliance.
A privacy team or council would comprise representatives from either business function areas or business key stakeholders; alternatively, or simultaneously, an individual could be appointed to hold primary responsibility for the data protection framework (a DPO).
What training should a data controller devise?
A series of internal training programmes designed to address and inform employees of legal data protection obligations and policy requirements.
The controller should document and monitor rollout and completion rates, and also create and deliver regular messages and updates to remind employees of their privacy obligations.
What is the requirement of ‘privacy by design and by default?
The requirement to integrate necessary safeguards for data processing ‘by design and by default’ (i.e. embedding data protection into design of new systems, projects, technologies).
Privacy by design was designed to…
Promote privacy and data protection compliance from the outset of the development of new products, services or technologies which in turn reduces privacy risks.
Logically should also address ongoing operation and management of such developments to enable companies to deal effectively with the entire life cycle of any personal data processed.