Accountability moves up the data protection agenda

The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. Amongst the new measures it introduces is a greater emphasis on data controllers being both responsible for and able to demonstrate their compliance with the GDPR’s data protection principles. This “accountability principle” will require organisations to be able to demonstrate that:

• They are processing personal data in a lawful, fair and transparent manner;
• Personal data is being collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This is subject to special rules where processing is for archiving purposes in the public interest, or for scientific or historical research, or for statistical purposes;
• Personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
• Personal data is accurate and where necessary kept up to date, and that every reasonable step has been taken, having regard to the purposes for which the data is processed, to ensure that any inaccurate personal data is erased or rectified without delay;
• Personal data is kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed. This principle is again subject to special rules for archiving purposes in the public interest, scientific or historical research and for statistical purposes, and also to the implementation of “appropriate technical and organisational measures” required by the Regulation to safeguard the rights and freedoms of data subjects;
• Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Information Commissioner has described accountability as arguably the biggest change introduced by the GDPR. She has commented: “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”