Accountability in scientific research
The controller must be prepared to demonstrate that data protection regulations have been taken into account in the study. Researchers must document the implementation of data-protection principles and other procedures specified in the GDPR.
Accountability requires transparency in the processing activities, so that the controller can demonstrate compliance with the obligations provided for in the GDPR. In practice, the controller is required to demonstrate that it has designed the processing of personal data in a manner that effectively implements the principles of data protection in the research project.
Accountability also includes a documentation obligation. Some of the obligations imposed by the GDPR (e.g. record of processing activities, impact assessment, designating a Data Protection Officer) are dependent on the processing activities or the organisation processing the personal data. Therefore, the documentation requirements for individual research projects also depend on these factors.
The controller’s decisions related to data protection must also be documented in order to demonstrate why a given action was or was not taken in the research project. Decision-making should be documented if the controller decides to act against the instructions of the Data Protection Officer or decides not to notify the Data Protection Officer of a personal data breach, for example.
Additional information on the documentation required for accountability