“ACCOUNTABILITY” AS A DEMONSTRATION OF COMPLIANCE WITH GDPR:

“ACCOUNTABILITY” AS A DEMONSTRATION OF COMPLIANCE WITH GDPR:

Introduction:

The GDPR specifies certain basic principles within its framework pertaining to Personal Data Processing. They are fairness, transparency, lawfulness, purpose limitation, storage limitation data minimization, accuracy along with integrity, and confidentiality. These principles, despite being important in themselves shall become toothless in their application without the “Accountability” principle which makes the controller responsible for:

  1. Compliance with the principles enumerated above when personal data is being processed
  2. Demonstration of such compliance by manifesting the measures undertaken.

All organizations processing personal data are under a legal obligation to adhere to the accountability principle which is in consonance with the responsibilities of a controller or processor of personal data enlisted under GDPR.

The responsibilities of a controller or processor, as enshrined in Article 24 of the GDPR are inclusive of:

  1. Appropriate technical and organizational measures are being implemented.
  2. Data protection policies being executed
  3. Certification
  4. Ensuring fidelity to the Code of Conduct

In addition to these, there are certain other obligations on the part of a controller of an organization, these include;

- Inculcating data protection by design and default,

- Keeping records of processing activities,

- Notifying incidents of personal data breach to supervisory authority and data subjects,

- Execute Data Protection Impact Assessment in cases of personal data processing

being subjected to high risks, and

- Appointing a Data Protection Officer.

Responsibilities to demonstrate Accountability:

Any organization that processes personal data of data subjects, must implement certain appropriate technical and organizational measures, an instance of which has been defined under GDPR as pseudonymization.

Pseudonymization is the process that renders personal data specific to a data subject incomplete without additional information stored separately and applies measures to ensure that it is not identifiable to a particular person.[1] This measure of pseudonymization can be designed to be implemented by default, at the time of processing the data, to protect the personal data yet to be processed, often referred to as ‘privacy by design.[2]

Organizations with 250 employees are charged with the responsibility to maintain physical as well as electronic records of the activities pertinent to data processing. The said record must necessarily contain

  1. Contact details of the controller or processor
  2. Purpose for processing
  3. Categories of Data Subjects defined
  4. Categories of Recipients of Data Processing defined
  5. Anticipate the time limits of erasure of different Categories of Data
  6. Description of technical and organizational security measures.

This exception of the number of employees in an organization would not be applicable in cases of processing of personal data resulting in a risk to rights and freedoms of data subjects.

The personal data, while it's at the processing stage, must be protected by the organization by ensuring security is adequate and relevant to the risks. The measures are inclusive of :

  1. Pseudonymization
  2. Encryption of personal data
  3. Ensuring continuous confidentiality, integrity, and availability of such measures and services
  4. The ability to restore access to lost data in the event of a physical or technical incident.
  5. Regular testing, assessment, and evaluation of the potency of the technical and organizational measures employed.

A personal data breach shall be notified without undue delay to the concerned supervisory authority. This shall include:

- A description of the nature of the data breach that occurred,

- Contact details of the data protection officer,

- Details of the consequences to the data subject likely to be caused because of the data breach.

- The measures are taken or to be taken by the controller to mitigate the adversities.

In Furtherance of the above, if the breach in the nature of causing a high risk to the rights and freedom f natural persons, it shall also be communicated to the Data Subject, in clear and comprehensible language and shall contain:

- Nature of personal data breach

- Information provided in the notification to the supervisory authority

Data Protection Impact Assessment

This is another exercise mandated under the GDPR to be performed by:

Any organization that processes personal data, by employing new technologies based on automated processing inclusive of profiling, considering the nature, scope, context, and purposes of the processing, where there is a high risk to rights and freedoms of natural persons, or there is a requirement of systematic monitoring of publicly accessible area on a large scale.[3]

The GDPR also necessitates carrying out the assessment for large-scale processing of personal data belonging to special categories revealing

-Racial or ethnic origin,

- Political opinions,

- Religious or philosophical beliefs, or

- Trade union membership, or

 - Genetic data,

- Biometric data for the purpose of uniquely identifying a natural person,

- Data concerning health or data concerning a natural person’s sex life or sexual orientation.[4]

The Data Protection Impact Assessment must systematically describe the processing operations and the purposes of the processing, including, the legitimate interest pursued by the controller; assessment of the necessity and proportionality of the processing operations in relation to the purposes; assessment of the risks to the rights and freedoms of data subjects and, measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.[5]

Appointment of a data protection officer

There is an obligation by the virtue of Article 9(1) of the GDPR, to appointing a Data Protection Officer (DPO) to organizations

- Processing personal data of data subjects,

- Processing of special categories of personal data, or

- Which require regular and systematic monitoring of data subjects on a large scale

For more details on the functions of a DPO please read What is a Data Protection Officer, and how can you become one?

Code of Conduct

For the processing of personal data, an organization must put together a Code of Conduct which shall highlight the key aspects and principles of personal data protection that need to be compulsorily observed. These are inclusive of

- Pseudonymisation of personal data.

- Information provided to the public and data subjects.

- Exercise of rights of data subjects.

- Information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility for children is to be obtained.

- Transfer of personal data to third countries or international organizations.

- Dispute resolution mechanisms to resolve disputes regarding the processing of personal data, and all the other responsibilities that have been elaborated in this segment.[6]

Conclusion:

The principle of accountability is the most basic personal data protection principle, that holds any organization processing various categories of personal data, accountable to the data subjects. However, the demonstration of this principle, by undertaking the responsibilities entrusted within the purview of GDPR is beneficial in securing the rights and interests of the data subjects, and from being held liable for any forms of a personal data breach, by having taken appropriate measures to prevent such breaches.

 [1] Article 4(5), General Data Protection Regulations.

[2] Article 25, General Data Protection Regulations.

[3] Article 35, General Data Protection Regulations.

[4] Article 9(1), General Data Protection Regulations.

[5] Article 35(7), General Data Protection Regulations.

[6] Article 40, Data Protection Regulations.

Made with