Accountability of the Controller

The controller shall be responsible for, and be able to demonstrate compliance with the GDPR’s principles. The principles are:

lawfulness, fairness and transparency
purpose limitation
data minimisation
storage limitation
integrity and confidentiality

As it is the controller who decides on why and how personal data must be collected and used, it is the controller who is responsible for demonstrating compliance with the GDPR. 'Accountability' is one of the principles upon which the GDPR is based.

The controller must be aware of punitive measures that could be implemented in the event of non-compliance.

Two main elements of accountability:

the need for a controller to take appropriate and effective measures to implement data protection principles; and
the need to demonstrate upon request that appropriate and effective measures have been taken

The specific measures to be applied must be determined depending on the facts and circumstances of each particular case, with particular attention to the risk of the processing and the types of data.

Common accountability measures

establishment of internal procedures prior to the creation of new personal data processing operations;
setting up written and binding data protection policies to be considered and applied to new data processing operations (e.g., compliance with data quality, notice, security principles, access, etc), which should be available to data subjects;
mapping of procedures to ensure proper identification of all data processing operations and maintenance of an inventory of data processing operations;
appointment of a data protection officer (where relevant) and other individuals with responsibility for data protection;
offering adequate data protection training and education to staff members. This should include those processing (or responsible for) the personal data (such as human resources directors) but also IT managers, developers and directors of business units;
setting up of procedures to manage access, correction and deletion requests which should be transparent to data subjects;
establishment of an internal complaints handling mechanism;
setting up internal procedures for the effective management and reporting of security breaches;
performance of data protection impact assessments in specific circumstances;
implementation and supervision of verification procedures to ensure that all the measures not only exist on paper but that they are implemented and work in practice (internal or external audits, etc);

Migration from the Directive to the Regulation

Controllers should also consider reviewing:

existing processor contracts
validity, where ‘consent’ was used as a legal basis for processing
validity, where ‘legitimate interests’ was used as a legal basis for processing
whether any existing operations might now be considered ‘high risk’
any communications and business with children online

The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.