The accountability principle of the General Data Protection Regulation (GDPR) requires that data controllers are responsible for ensuring compliance with the regulation and must be able to demonstrate that they have implemented appropriate measures to protect personal data. This principle plays a vital role in ensuring transparency, trust, and accountability in the handling of personal data.
To demonstrate accountability, organizations need to ensure that they have implemented adequate technical and organizational measures to protect personal data. These measures include security protocols, access controls, and risk assessments to prevent unauthorized access, loss, or destruction of personal data. Organizations must also ensure that their staff is adequately trained in data protection principles and that they understand their role in ensuring GDPR compliance.
Privacy impact assessments (PIAs) are another tool that organizations can use to demonstrate accountability. PIAs help organizations identify the potential privacy risks associated with a project or activity and implement appropriate measures to mitigate these risks. PIAs can also help organizations to build privacy into their design processes, reducing the risk of privacy breaches.
Data Protection Officers (DPOs) are appointed by organizations to oversee data protection policies and practices and ensure compliance with GDPR. While DPOs are mandatory in some cases, even where they are not required, they can help organizations to demonstrate accountability and build consumer trust.
Organizations must also have a robust data breach response plan in place. This plan must be able to deal with any potential breaches in a swift and effective manner, ensuring that affected individuals are notified, and measures are taken to prevent future breaches.
“Accountability is the cornerstone of data protection. It means being responsible for your actions and being able to demonstrate that you have taken appropriate measures to protect personal data.”Elizabeth Denham, UK Information Commissioner
Recent GDPR enforcement actions have demonstrated the importance of accountability in ensuring GDPR compliance. In 2020, H&M, the Swedish fashion retailer, was fined €35.3m for monitoring employees’ personal activities and storing sensitive personal data without their knowledge or consent. The fine was imposed for violations of the GDPR’s integrity and confidentiality principle, which was found to be in breach of the accountability principle. H&M had failed to demonstrate that they had taken appropriate measures to protect personal data, and as a result, they were held accountable for the breach.
Another example of the importance of accountability can be seen in the 2018 data breach at Facebook, which exposed the personal data of millions of users to a political consulting firm. Facebook was held accountable for the breach, and as a result, they were fined €110m by the Irish Data Protection Commission. The breach was a clear violation of the GDPR’s integrity and confidentiality principle, and Facebook was found to have failed to take appropriate measures to protect personal data.