Transparency, accountability and control regarding personal data are the important pillars of the new privacy legislation, the General Data Protection Regulation (GDPR). In this eighth episode I will explain what is meant by accountability and how organizations can put it into shape.
Organizations who process personal data have an accountability obligation. This means that compliance with privacy legislation alone is not sufficient; they must be able to demonstrate actively at all times that they comply with the privacy legislation. Organizations will therefore have to document as much as possible – if not everything. The accountability obligation is contained in article 5 (2) GDPR in so many words. Article 5 (1) sets the principles regarding the processing of personal data. These principles are partly in line with what was discussed in the first blog, but are just a bit more comprehensive. Subsequently, paragraph 2 prescribes that the controller is responsible for compliance with these principles and must also be able to demonstrate this. In other words, compliance alone will not do the trick for you. In addition, accountability is not only limited to these principles, but applies to compliance with the entire GDPR.
This means in real terms that your organization needs to document a thing or two. What are your obligations based on the law and how do you implement these within your organization? This needs to be laid down in a document/protocol. In addition, you are held to keep a processing record pursuant to the GDPR.
Record of processing activities (“processing record”)
Under the current WPB, organizations are held to report data processing activities to the Dutch Data Protection Authority (AP), unless they have dispensation. This obligation to report will expire on 25 May 2018, and will be replaced by a processing record. You no longer need to report, but you must document a few things internally and be able to show these to the AP. Organizations must maintain a (written or digital) record in which all personal data processing activities are described. This obligation applies to:
- Companies or organizations with more than 250 employees;
- Organizations whose processing involves a risk to the rights and freedoms of the data subject;
- Organizations whose processing is not accidental;
- Organizations who process special categories of data or criminal data.
In view of the fact that most organizations process personal data on a structural basis, almost all organizations will have to comply with this obligation.
The following must be included in the record (Article 30 GDPR):
- The contact details of the responsible/representative and, if applicable, also the data protection officer (and otherwise motivation why none is needed);
- The processing purposes;
- Categories of data subjects and personal data;
- Categories of parties to whom the data will be provided;
- If data are provided to other countries: indication of the other country and, where appropriate, documentation of the appropriate safeguards for the protection of personal data in this other country;
- The intended retention periods;
- A general description of the technical and organizational security measures.
If your processing basis is founded on a legitimate interest (see blog #1), you must also document the balance of interests in this record.
Not only the controller should keep this record, but also the processor. The processor has to record a little less. The purposes, categories of recipients and the intended retention period of the processing do not have to be recorded by the processor.
You can imagine that the implementation of the legislation will require a huge – also administrative – effort. You must comply with the legislation, you must demonstrate that you comply with the legislation, you must document everything, and even if you believe that a provision does not apply to you, you must document why you think so. All responsibility lies with you and the Personal Data Authority will get assistance in it supervisory duty. The fact of the matter is that, at the request of the AP, you must be able to show a few things within one or two working days. If you cannot do so, you will risk a fine.