Part 7: The New Accountability Regime
Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”.
Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
In 2010, the Article 29 Working Party issued an Opinion on the principle of accountability where it put forward a concrete proposal for adding a principle of accountability so data controllers “put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with and to demonstrate so to supervisory authorities upon request”. According to the Article 29 Working Party, the accountability principle “should contribute to moving data protection from ‘theory to practice’ as well as helping data protection authorities in their supervision and enforcement tasks”.
Accountability in the Data Protection Directive
Although the Data Protection Directive does not specifically refer to the term “accountability”, a number of its provisions set a basis for accountability:
- Data controllers must ensure compliance with the main principles relating to data quality
- Notification obligations towards the DPAs
- Duty to implement “appropriate technical and organizational measures” to safeguard and protect data.
Need for specific provisions relating to accountability
Specifically referring to accountability in the Regulation will ensure in a more effective manner that data controllers comply with their obligations. As mentioned by the Article 29 Working Party , to ensure the effectiveness of the provisions of Directive 95/46/EC, it would be necessary to fully integrate the data protection principles in the data controller’s “shared values and practice”.
In addition, the increased risks presented by big data, increased transfer and centralisation of data, and the rise in cybercrime mean accountability is more important for data controllers to show that they use privacy as a positive safeguard, helping them to regain the trust of their customers.
What does the Regulation require for accountability?
Article 22.1 of the current version of the Regulation relating to the Obligations of the controller provides that:
“Taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of risk for the rights and freedoms of individuals, the controller shall implement appropriate measures and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation”.
The three drafts of the Regulation currently in circulation differ in how prescriptive they are about what is required in practice by Article 22 and the principle of accountability. They variously include the following elements:
- Adoption of measures, such as an internal or external audit process, to demonstrate that an organisation’s processing of personal data complies with the Regulation
- Implementation of technical and organizational methods to protect data against unauthorized or unlawful processing
- Keeping records of the processing of personal data which the organization carries out. The level of detail required is not yet settled, but it is likely that it will be similar to that currently required for data protection registrations in many Member States at present, for example, the purposes of processing, the categories of data subjects and data, the recipients or categories of recipients of data and, if possible, the time limits for deletion of the different categoriesof data
- Carrying out data protection impact assessments foroperations which present specific risks to individualsdue to the nature or scope of the processing operation
- Appointment of an independent data protection officer (DPO). Although his prescribed tasks vary between the three drafts, the role of the DPO is critical for accountability. He is required to inform the controller of its obligations under the Regulation, and to monitor the implementation and application of the controller’s policies in relation to personal data.
How can businesses start to prepare?
Whatever the final text of the Regulation, it is likely that the DPAs will provide further details of what they expect in this area. Indeed, as mentioned above, the CNIL has already done. Pending agreement on a common approach what can businesses be doing to prepare now?
The key concept to keep in mind is that this is about embedding privacy in the organization. Many organizations have internal privacy policies which set out the principles to which the organization will adhere, but implementation goes little further than posting the policy on the intranet. As the Article 29 Working Party memorably put it in its 2009 paper on “The Future of Privacy”, the principles and obligations “should permeate the cultural fabric of organisations, at all levels, rather than being thought of as a series of legal requirements to be ticked off by the legal department.” Companies need to be thinking not only about what compliance requires but how to communicate that throughout the organization.
Steps which you can take at this stage to help plan your approach to accountability include:
- Identify and review all your existing policies to see what your current state is. This may go far wider than privacy policies, to encompass IT and security policies, protection of information assets, use of electronic communications and monitoring
- An effective accountability programme needs support from senior levels of the organization. Start identifying key stakeholders who may be able and willing to provide this
- Identify where data is processed within your organization from both a functional and a geographical perspective. Remember to include third party processors
- Do a gap analysis of what processes you have in place for handling new and existing data protection For example is there a clear process for handling requests for data subjects in relation to their data?
- Identify who the key actors are in relation to data processing so that you can involve them in developing processes
- Consider whether you have existing audit processes within the organization which you can leverage to monitor compliance in this area.
What to do now
- Identify your current state: review all relevant existing policies, and identify where data is processed within your organisation from both a functional and a geographical perspective.
- Do a gap analysis of what processes you have in place for handling new and existing data protection obligations.
- Identify key actors in relation to data processing so that you can involve them in developing new processes.
- Identify key senior stakeholders to support your accountability programme.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.