Demonstrate your compliance with data protection regulations

Compliance with the provisions of the General Data Protection Regulation (GDPR) is required when processing personal data. Accountability means that the controller must be able to demonstrate its compliance with data protection legislation and is a key principle of the GDPR.

For example, if the controller notices a personal data breach, it can rely on its accountability to demonstrate that it has actively sought to identify risks related to data protection and adopted the necessary measures for the protection of the personal data. If the controller is not able to demonstrate compliance with the obligations of the GDPR, it can result in administrative sanctions in addition to loss of reputation.  

The purpose of accountability is not just the evaluation of compliance with statutory obligations, however. It is also intended to demonstrate how the controller respects the privacy of the data subjects, i.e. the subjects of the processing of personal data. Implementation of accountability increases trust in the operations of the controller.

Controllers are required to take the required technical and organisational measures to fulfil the requirements of accountability. Accountability also includes a documentation obligation, which involves taking and recording certain measures.

The obligations arising from the GDPR’s requirements concerning accountability must be evaluated on a case-by-case basis.  Among other things, the extent of accountability depends on factors such as the size of the organisation, amount of personal data and the nature of the personal data processed by the controller. The controller must take accountability into consideration when planning the processing of personal data. The documentation and measures must be continuously updated and carefully managed.

Measures and documents for the implementation of accountability

  • A record of processing activities, i.e. a general description of the processing of personal data (GDPR, Article 30)
    • This also applies to processors of personal data
  • The realisation of data protection by design and by default in operations (Articles 5 and 25)
  • Possible wider data protection policies (Article 24.2)
  • Notification practices (Articles 12–14)
  • Evaluations of the legal basis for processing (Articles 6‒10)
    • If the processing is based on consent, the documentation related to consent (Articles 7 and 8)
    • If the processing is based on the legitimate interests of the controller or a third party, the balance test (Article 6.1.f)
  • Other internal and external guidelines (Articles 12, 13, 14, 24, 25, 28, 29 and 32)
    • The risk assessment documentation and technical and organisational safeguards implemented
    • Internal and external guidelines for exercising the rights of the data subjects
    • Instructions for processors and personnel who process personal data
    • Internal inspections and audits
  • Impact assessment (Article 35)and prior consultation (Article 36) documentation
  • Documentation of personal data breaches (Articles 33 and 34) and the related process
  • Documentation related to the position and duties of the Data Protection Officer (Articles 37–39)
    • If the organisation decides to adopt a solution not advised by the Data Protection Officer for processing personal data, the grounds for the decision should always be documented
  • Agreements related to the processing of personal data (Article 28)
  • Areas of responsibility of joint controllers (Article 29)
  • Possible documentation concerning the definition of the lead supervisory authority (Article 56)
  • Documentation on the transfer of personal data to third countries (Chapter V)

Some obligations imposed by the GDPR only apply to a part of the organisation or some processing activities. Examples of such obligations include the obligation to designate a Data Protection Officer, carrying out the data protection impact assessment, prior consultation and the obligation to draw up a record of processing activities. It is advisable to document how the decision on whether or not to comply with these obligations was made.

Certificates and codes of practice can be adopted to support the realisation of accountability.