The principle of accountability almost always plays a key role when the EU’s new Data Protection Regulation (GDPR) is discussed. This principle is often referred to as a "super principle". Although the accountability principle has not been mentioned so often before, it is not a novelty introduced by GDPR. (Actually, accountability was already mentioned in Section 14 of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980). However, GDPR has brought accountability more into focus than before.
It is interesting to note that the word "accountability" itself occurs only two times in the Regulation, once in the preamble and once in the list of principles.
This principle expresses and strengthens the central role of the data controller to the lawfulness of the whole data processing activity and regarding compliance with the relevant data protection and data security rules. In many cases, the general rules cannot provide detailed guidance for each data processing activity but they provide a framework within which the data controllers have a relatively large freedom to elaborate on the details.
However, this freedom also means responsibility, since data controllers will be accountable for their decisions made in connection with the data processing activities. In addition to the obligation to comply with the data protection rules, another important element of accountability is that the data controller must be able to prove this compliance. We might say that it is not enough to comply with the rules, it also has to be demonstrated as well.
What is accountability exactly?
Article 5 (2) of the Regulation sets out the principle of accountability, according to which the data controller will be responsible for, and be able to demonstrate this compliance.
According to Győző Endre Szabó, vice president of the Hungarian data protection authority:"The principle of accountability is twofold: on the one hand, it expects the data controller to develop internal rules, processes and mechanisms that are necessary to fulfill the obligations arising from the regulation and, on the other hand, it expects the ability to demonstrate the compliance."(Pázmány Law Working Papers, 2016/27)
The introduction of the principle into European data protection legislation was also promoted by the Article 29 Working Party (WP29) (Opinion 3/2010 on accountability). According to the opinion, the goal would be to turn “the general data protection principles into concrete policies and procedures that are defined at the level of the controller, in compliance with applicable laws and regulations." (Opinion 3/2010, p. 9) This way, data protection can work much more practically and efficiently. The opinion of WP29 also emphasizes that ”the new provision does not aim at subjecting data controllers to new principles but rather at ensuring de facto, effective compliance with existing ones.” (Opinion 3/2010, p. 10)
What specific steps should data controllers take to meet accountability requirements?
The principle of accountability is further elaborated by the Regulation itself and sets specific obligations for data controllers that must be complied with in order to meet the requirements of accountability.
The Regulation generally stipulates that "taking into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary." (Article 24 (1))
In addition to the above general obligation, a number of the provisions of the GDPR can be regarded as measures that are specific expressions of the accountability principle as manifested in the activities of data controllers. In particular, these include:
- compliance with data protection by design and by default requirements (Article 25);
- selection and use of the appropriate data processors (Article 28);
- maintaining a record of processing activities (Article 30);
- taking the appropriate data security measures (Article 32);
- proper management of data incidents (Articles 33 to 34);
- performing a data protection impact assessment (Article 35);
- appointment of the Data Protection Officer (Article 37);
- accession to the Code of Conduct (Article 40);
- accession to an approved certification mechanism (Article 42); and
- the application of binding corporate rules in the case of the transfer of personal data (Article 47).
Of course, the above are not an exhaustive list and they are not applicable to all data controllers equally. At the same time, they give an overview of what specific data protection measures should be considered when talking about accountability. Based on WP29's opinion, the above list can be supplemented with additional elements such as setting up written and binding data protection policies, offering adequate data protection, providing training and education to staff members, establishing an internal complaints handling mechanism, setting up procedures to manage access, correction and deletion requests, and implementing and supervising verification procedures (audits), etc. (Opinion 3/2010, p. 11-12)
On the basis of the fact that data controllers must be able to verify compliance, the proper documentation regarding the taking of the necessary steps is important.