Are you taking this seriously? Accountability in data protection law

Data Protection Consulting Limited

Accountability means demonstrating compliance with the data protection principles.

This article looks at what that means in practice, what should you do? how much should you do?

It is important to be seen to do something. The fines tend to fall where the regulator finds "systemic compliance failures".

Compliance activity will help protect your business against data breaches. Evidence of compliance activity can help to mitigate the effects of breaches.

Organisations are expected to put into place comprehensive but proportionate governance measures. Data protection should be appropriate in the circumstances of the processing.

This is a standard theme throughout GDPR. Ultimately, the governance measures will minimise the risk of data security breaches and uphold the protection of personal data.

In practice, they are likely to mean more policies and procedures for organisations and ongoing compliance checks to ensure that procedures are practical and effective and that colleagues know what they are, where they are and when to follow them.

How do we demonstrate Accountability?

Adopt written policies and procedures

There are standard policies and procedures that relate to personal data processing which the national supervisory authority would expect to see: an overarching Data Protection Policy, other policies and procedures to regulate data sharing, outsourcing data processing to third parties, data retention, handling the exercise of subject rights, using CCTV, security of personal data and other operational policies and procedures to set down guidelines for how personal data is obtained, used and stored.

We often see fines levied, not as a result of a complaint or a data security breach, but because the regulator's investigation revealed evidence of "systemic failures in compliance".

For our list of recommended policies and procedures we have a Checklist, currently free to download (until 14 December 2018) on our website at

The Data Protection Policy should be adopted by the highest level of management in the business to indicate to employees (and the regulator) the firm’s commitment to compliance.

All relevant policies and procedures need to be promoted to colleagues, if they are not aware of them or do not understand how they apply to their work, they will not be followed.

Regular reviews of the effectiveness of policies and procedures should be carried out and the findings documented.

Activities change over time, colleagues find quicker ways of working, policies and procedures need to reflect current practice as well as current legal interpretation of issues.

Documenting audit activity is a key element of Accountability. Clearly define roles and responsibilities All colleagues carry some responsibility for data protection compliance and they discharge that duty by following documented policies and procedures.

There are also some key roles with responsibilities that should be set out in the organisation's Data Protection Policy as follows:

The Senior Management Team

The Senior Management Team should be highlighted as being ultimately responsible for delivering a legally compliant service or product offering.

The Data Protection Officer or Data Protection Adviser

Some data processing activities require the appointment of a Data Protection Officer and the promotion of a central point of contact for queries about data protection will help focus awareness of data protection in colleagues.

Use a different job title if a designated DPO is not required, Data Protection Adviser or Data Protection Coordinator.

The Risk Manager

The risk management process should expressly include data protection risks from identification of risk, through managing and avoiding the risk to reporting to the highest level of management.

The contact for reports of data security breaches

A central contact for reporting personal data breaches is essential to ensure that problems are picked up quickly and referred appropriately.

Line Managers

Line Managers should be made specifically responsible for the personal data processed in their department.

Carry out training

Ensure that all employees whose job involves handling personal data are trained at least annually in their responsibilities and obligations under data protection law.

Some actions, such as unauthorised disclosure of personal data, are criminal offences for which individual employees can be liable.

Other key information for employees is that personal data has a value and unscrupulous persons may use fraud and deceit to try to access it unlawfully.

Do we need to carry out audits?

It depends on the risk presented to data subjects, their personal data and their rights by the personal data processing operations carried out by your organisation.

The level of risk should inform whether audits are required and how frequently they are required.

As well as risk there are other circumstances that may influence the decision to undertake a data protection audit.

Instructing an audit can be a good way to demonstrate to clients that the organisation is focused on compliance as part of its service offering.

A good audit report can help to build trust.

Also large and/or prestigious organisations should have a complete compliance audit plan of which data protection will necessarily be a part.

Issues identified in an audit report must be taken forward. Either comply with the recommendation or explain why it would be inappropriate, in writing.

An audit report is always in writing and provides an audit trail of the weaknesses of the organisation's data protection so it is vital that a written response is made in every case.

In conclusion

Accountability will look slightly different for every organisation but these key elements should be covered.

Check internal compliance controls against this and every other checklist you can lay hands on.

If you would like any assistance with data protection issues, creating the right records, policies and procedures or carrying out a Health-Check, contact us at

Mandy Webster Data Protection Consulting Limited