Demonstrating Accountability: What’s it all about?
+44 (0)1189 333 186
It is over two years since the Data Protection Act (2018) and GDPR came into force. Most organisations expended a lot of effort in becoming compliant, breathing a sigh of relief when the work was completed. The bad news is that this was only the start.
One of the key principles outlined in GDPR is accountability, which means that organisations are responsible for not only being compliant but also demonstrating compliance on an on-going basis. This is a legal obligation.
The first phase of GDPR compliance was about creating the artefacts required to be compliant – policies, registers, data protection impact assessments, breach procedures, etc. Now that we are two years further on, the focus is shifting to demonstrating compliance. This is an entirely different competency, one which many organisations are failing to achieve.
Our experience indicates that the majority of organisations have the required compliance artefacts in place, using them either in an ad-hoc fashion or superimposing them on operational processes. The impact is that privacy & data protection, although being considered, is not fully embedded and being proactively managed. It is not part of the organisational DNA.
This can be a challenge. For organisations that operate in regulated environments, such as financial services, risk-based regulation, and accountability are nothing new. Over the years, these industries have come to understand their responsibilities, building regulation into operating practices, putting governance around them and training people appropriately. Putting GDPR into place was a relatively straightforward exercise. However, for many, GDPR is the first piece of risk-based regulation they have had to implement, accountability is an entirely new concept. They do not have the structures or training in place to effectively manage it. The closest for many is health & safety legislation.
Another factor that influences an organisation’s success in embedding accountability is whether an organisation has dedicated data protection resources in place and their level of seniority. Organisations with a data protection officer should be in the best position to drive accountability through an organisation, as they have the seniority to influence and drive the required change. Where compliance resources are in place but form part of a broader team, they tend to be analysts who may present findings, but are unable to influence. Those organisations without dedicated data protection resources find accountability a challenge.
This paper is primarily targeted at organisations without a data protection officer.
What is Accountability?
As mentioned earlier, accountability means that an organisation is responsible for becoming GDPR compliant and then evidencing/demonstrating it on an on-going basis. They need to be able to show that they comply with the other 6 data protection principles – ‘lawfulness, fairness & transparency’, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, ‘storage limitation’ and ‘integrity & confidentiality’. This is achieved by following the requirements set out in the rest of GDPR.
It should also be remembered that data controllers, as well as requiring to be compliant themselves, are also responsible for compliance across their supply chain if appointing processors. This makes the evidencing of compliance even more of a challenge (we will address supply chain issues in a separate blog).
When it comes to evidencing compliance, there are typically six key components that need to be evidenced. Bear in mind that these measures should be proportional to the processing your organisation conducts, so not everyone needs the same level of rigour. Our understanding is that the key areas to be evidenced are:
- Data protection policies – we believe that organisations above a micro-enterprise level should have a data protection policy, and all should have privacy notices in place. The detail contained should depend on the volume and sensitivity of processing conducted. The critical point here is that the organisation follows the framework set out in the data protection policy, supporting it with procedures where necessary, and capturing data to evidence it has been followed, typically by some form of audit trail.
- Data protection by design & default (DPDD) – this is a core element of accountability, a legal requirement, and probably the most poorly implemented. DPDD requires organisations to consider privacy & data to be considered from initiation of an idea that involves personal information, through design & build, into operations, to end of life and the personal information is ultimately destroyed after the retention period. It should cover the full lifecycle. This requires privacy & data protection to be embedded as part of these activities, ensuring it is considered at key decision points and decisions captured. Data protection impact assessments form part of this process, but on their own do not address the issue. As you might appreciate, this is a big topic and one we will discuss in a separate blog.
- Data breach management – you must be able to demonstrate that you are actively managing any data breach. This should involve the maintenance of a breach register, a reporting process and responsibilities in the event of a breach should be clearly understood. This is one of the more straightforward areas to evidence, but it is still surprising how many organisations have a blank breach register!
- Contracts – you are required to have a contract or other legal document (e.g. data processing agreement or inter-company agreement) in place with any other legal entity outside your own. This agreement should then have the clauses required under GDPR. Accountability means that you need to have a checkpoint as to whether the supplier is a processor or not, ensure the necessary clauses are in place, sign off the contract, have some form of checks to make sure the data protection requirements in the contract are adhered to and evidenced through its life and that the data is ultimately deleted at the end of the retention period. The contracted activity may span years and involve multiple changes, so the approach needs to be proportionate and pragmatic.
- Governance & Reporting – I have deliberately left this till last. This is about ensuring that there are clear accountabilities for data protection in the organisation, an approach for ensuring the above activities take place, some form of reporting to provide evidence it is happening, and a process for ensuring any risks and issues can be clearly escalated and addressed. This requires a governance model.
I would stress again that the approach to implementing accountability has to be proportionate to the processing activity. Where we have deployed solutions in smaller organisations, it is about clearly identifying a sponsor & their responsibilities, giving employees checklists and tools to aid their decision-making process through their daily activities, providing training and then getting managers to check that activities have been completed. We then recommend an annual health check or audit that validates compliance. The approach has to be pragmatic, or it doesn’t work.
What happens in practice today?
The points that we make here are generalisations; each organisation is unique in its own way and at different levels of maturity.
As mentioned previously, those organisations with a data protection officer (DPO) tend to be at a higher level of maturity when it comes to accountability. This is a clear responsibility of the DPO, the organisation has recognised the need to appoint them, it is a funded role/team, and the individual should be empowered to drive the required change. If only it was as easy as that!
We are more interested in how organisations without a DPO are going about demonstrating accountability. This covers organisations both large and small, as not all believe they require to appoint a DPO. As already outlined, the vast majority of organisations have implemented the necessary artefacts to support GDPR compliance but struggle to evidence their accountability on an on-going basis. There are several common failings that we see:
- Data protection policies – in our experience, the majority of companies have published privacy notices and a data protection policy in place. Privacy notices tend to only be fully compliant with several components not addressed. In smaller organisations, the data protection policy tends to over-commit, and they are not followed. I’ve yet to see an SME with an internal audit team! The linkage between policy and operations is not there in the form of checklists, guidelines or training, meaning that it is difficult to evidence compliance with the policy.
- Data protection by design & default – across organisations of all sizes, we see data protection impact assessments (DPIA) being used to justify DPDD. Where these are undertaken, they are most frequently used in projects rather than any other aspect of the business lifecycle. A full-blown DPIA is only a legal requirement for certain types of processing – where there is a high risk to the impacted individual or new technologies are involved, they are complex and difficult to complete when an individual is not experienced in conducting them. Organisations should be moving away from DPIA’s unless they are necessary, and start to put simple controls in place across their processes that ensure privacy & data protection is considered at the right points.
- Data breach management – In all but the smaller organisations, this appears to be relatively well managed, normally by an IT team. Smaller firms tend to use cloud services more, so there is a dependence on the supplier to have appropriate breach management procedures in place. In these smaller organisations breach registers are frequently not in place, but if there is an issue, the answer is go to the top. Just remember, an empty breach register does raise questions in a regulator’s mind.
- Contracts – implementation of accountability when it comes to contracts is inconsistent. Many new contracts have GDPR clauses inserted, typically at the instigation of suppliers, but legacy contracts tend not to have been remediated. Through the run phase of contracts, there is processor support in terms of breaches and data subject requests, but that’s about it. In all but the largest organisations, there is very little done in the way of contract monitoring.
- Governance & reporting – although an executive was typically responsible for GDPR compliance when it initially came into force, they have gone back to their day job, and the accountability is unclear. Consequently, governance structures tend to be lax and reporting inconsistent. If there is an event, the organisation mobilises and responds, which is great, but it is very difficult to evidence compliance in these circumstances.
A good example of where accountability needs more consideration would be in the digital arena. Frequently involving the personal information of consumers, business customers or employees, organisations tend to use third-party integrators to get these systems or apps developed and operational. The integrators will say, quite rightly, that they are not data processors and are simply building your digital tools. However, they are building tools that contain personal information on your organisation’s behalf. Most of these firms have structured methodologies in place that address data security, amongst other things, but where is the evidence that the tool being built meets your organisation’s data protection responsibilities? The integrators are not processors, have no data protection responsibilities, but when appointed, should they not be required to explain where data protection fits within their methodology and contract to deliver such requirements? If they don’t, how can you achieve your organisation’s responsibilities under DPDD and ultimately, evidence compliance when the tool is operational? There is a potential scenario that the new digital tool you are implementing has not addressed data protection considerations, presenting your organisation with potentially significant risk. If accountability had truly been considered, this risk would be minimised, if not eliminated.
In summary, most firms have put in place artefacts to make them appear to be GDPR compliant. However, when it comes to evidencing compliance on an on-going basis – accountability – there is much work still to do.
One thing that is important to bear in mind when striving to be accountable is that there are very few organisations that are 100% compliant at a point in time. Organisations change, and it takes time for them to adapt. Regulators will accept this as long as you can demonstrate you have the fundamental components in place and are actively managing them. On the other hand, if you have blatantly ignored the accountability requirement, you are more likely to get fined.
As we have tried to outline, demonstrating accountability is mainly about building privacy & data protection into the DNA of your organisation. By identifying an accountable owner in your organisation and making their responsibilities clear, implementing a set of simple controls that generate evidence, training people and having a robust governance structure in place, accountability can be achieved without introducing significant cost into the organisation. The challenge is two-fold, how to get the right structures in place and then manage them on an on-going basis.
Sometimes it is useful to think about accountability in the context of a data protection framework, as shown opposite. This is a continuous cycle that you should be considering on an annual basis.
In terms of current operations, most organisations will be switching between the ‘establish’ and ‘embed’ phases. This is because there are artefacts in place, they may be used in an ad-hoc or routine manner, but they are typically not embedded into operations. Consequently, you are unlikely to be generating the evidence required to support the accountability requirement. If you were to conduct a third-party GDPR assurance check at this stage, there would be a high probability that you would not get a favourable outcome, as you are unlikely to be meeting key legal requirements.
It is only when organisations establish an ‘evaluate’ and ‘improve’ cycle that they start to embed privacy and data protection into their operations. Today, few organisations are routinely conducting these phases.
So, how should I go about making accountability a process of continuous improvement, reducing the risk posed by data protection regulation?
From Ixium’s perspective, we have found the following approach provides a pragmatic way of getting to the right place.
- Establish a baseline
The reality is that there are aspects of most organisations’ data protection compliance that fall short of the mark, particularly around accountability, data protection by design & default and privacy notices. We recommend that the first step is to really understand what your compliance gaps are. There are self-assessment templates published by the ICO that can help with this or a range of companies, including Ixium, who can conduct an audit or health check to help set your baseline.
- Develop an improvement plan
In the first iteration, your improvement plan should focus on ensuring that you have the appropriate components – outlined above – in place to evidence compliance, both as a one-off and on a continuous basis. Once this phase is completed, you should be fully compliant with regulatory requirements, but at the beginning of your on-going accountability responsibilities.
- Embed data protection framework
Once the components are in place you will be in a position to start utilising the data protection framework regularly, we would suggest on an annual basis. It is this that will enable you to apply a continuous improvement approach to integrating privacy & data protection into your processes, being able to confidently and effectively demonstrate accountability.
At this stage, if you were to appoint a third party GDPR assurance exercise, you should be confident that you would pass, demonstrating your GDPR compliance. As a data controller, this can be used to demonstrate compliance to regulators. As a data processor, this is something that business customers will increasingly be asking for to meet their accountability responsibilities.
For many organisations who have little or no experience of this risk-based regulation, demonstrating accountability can seem daunting. This needn’t be the case. If you would like to discuss what accountability means for you, then please get in touch.
We hope that you have found this blog useful in understanding how the accountability requirement under GDPR can be achieved and managed on an on-going basis. As always, different people have different experiences, and it is by sharing these that we learn. So, feel free to comment below, even if you disagree!