The European General Data Protection Regulation (GDPR) has now been in force for over two years. In this series of articles we look at some of the topics where practice and guidance has evolved since May 2018. We also look at the steps that organizations should be taking now in light of what we have learned. In this article we cover the requirements around demonstrating accountability and how these have evolved in practice.
What does the GDPR say about demonstrating accountability?
The GDPR places strong emphasis on the principle of accountability, which requires organizations not only to act in a compliant way, but also to record and demonstrate their compliance through written assessments, policies and documentation.
As well as a general requirement to be able to demonstrate compliance with the principles of the GDPR, there are specific requirements to:
- maintain a record of processing activities;
- document personal data breaches;
- carry out data protection impact assessments;
- implement organizational measures to ensure compliance; and
- document relationships with processors, sub-processors and joint controllers.
What issues have we seen?
In the run up to GDPR coming into effect, our expectation of what would be needed to demonstrate accountability was mostly focussed on specific key documentation. This included external and internal facing privacy policies and guidance on how to address key issues under GDPR, such as good data handling processes, security, data breaches and managing subject access requests.
Over the last few years, it has become clear that data protection regulators are expecting more detailed documentation on a range of topics to be in place. This is particularly important in some circumstances, including when decisions are made around whether legitimate interests is an appropriate basis for processing, or whether two organisations are sole or joint controllers; or where a product with potentially invasive uses of data is being considered. In proceedings brought by regulators, the accountability principle has often been invoked to shift the burden of proof for GDPR compliance to the data controller, leading to the risk of higher fines if a controller cannot provide sufficiently detailed documentation.