In our previous article on General Data Protection Regulation (GDPR), we explained that 95% of the monetary penalties, as issued by the Information Commissioner’s Office (the ICO), did not to include any mitigating factors that could have reduced the severity of the penalties handed out.
When issuing administrative fines, Art 83 of the GDPR, specifies that supervisory authorities should consider ‘the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them according to Articles 25[1] and 32[2] (…)’ The latter means that firms should be able to improve their chances of avoiding or reducing fines by demonstrating efforts towards compliance with the GDPR rules, which so far many of those who were caught failing to comply to date could not demonstrate.
We further focused on the principle of accountability (Art.5 GDPR) which is a ‘cornerstone of the GDPR’ as emphasised by the European Commission[3]. We explained how to show compliance with the principle of accountability and that it required written policies and procedures as well as clear record-keeping for all of an organisation’s privacy efforts. As an example, we mentioned that any new innovative process should be subjected to an impact assessment kept on record and so on.
We also mentioned that while working with clients using Leo’s Reg Tech GDPR Modules we have come across some worrying misconceptions. The first one, as covered in the first article, was related to what the accountability framework should consist of; the second misconception was that if you were ‘merely’ a data processor, not a data controller, the compliance burden was less and did not require you the upkeep the accountability framework. Today, we would like to follow up on the latter by explaining to whom the principle of accountability applies.
The scope of the accountability principle in Art. 5 GDPR
Despite Art. 5 GDPR referring to data controllers, in practice, the principle of accountability applies equally to processors and controllers of data. Most organisations, including those whose commercial activities are focused on data processing, are data controllers in some way. Given that your business will process the personal data of your employees, clients, or vendors, you are essentially doing this in the capacity of a data controller. Therefore, in practice, GDPR demands a complete compliance framework from everyone.
Processors adhering to the principle of accountability by the extension of the controller’s duty
Setting aside the point that all processors are data controllers in some capacity, processors can be subjected to the principle of accountability by the extension of the responsibilities of data controllers. Art.28 GDPR states that the controller should use only processors that provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements [of GDPR]and ensure the protection of the rights of the data subjectâ€. As Stewart Room, data protection lawyer and practitioner, states: “This idea of ‘sufficient guarantees’ […] is really focused on […] getting proof of a processor’s competence […] If a controller is unable to establish proof of a processor’s competence, it has to walk away, otherwise, it will be in automatic breach of GDPR Article 28â€[4].
Following from the above, what evidence of compliance should controllers therefore require from their processors? The European Data Protection Board explains in their Guidelines 07/2020 what is needed to meet the threshold of guarantees that will satisfy the requirements of the controller: “Often this will require an exchange of relevant information (e.g. privacy policy, records, of processing activities, reports of external data protection audits, records of management policy, information security policy, international certifications, like ISO 27000)â€[5]. Practically speaking, controllers should require processors to provide evidence of their adherence to and understanding of GDPR. The easiest way to do this is through the maintenance of a set of policies and procedures that demonstrate good governance of data protection practices and that may be achieved by record-keeping and diligent processes.
In summary…
In our previous article we demonstrated the importance of the principle of accountability and what it takes to be compliant with such a principle. Today we confirm that all organisations ought to adhere to it regardless of being data processors or data controllers. If you still think that the reality is that the enforcement of GDPR is unlikely, and the regulators’ impact has not yet been persuasive enough for many businesses to act; note that pressure for compliance is also coming from individuals with a vested interest in a business – clients, investors or employees. The path to reporting non-compliance to a regulator is straightforward and the regulator does act on complaints. No one wants to be playing Russian roulette with a potential investigation and the cost of a penalty, when the effort of compliance is relatively light and affordable especially in view of the various GDPR software available.
How Leo can help
Helping organisations comply with GDPR principles and demonstrate accountability is a critical service Leo provides. To accomplish this, Leo has developed a robust privacy governance framework. This framework is not only grounded in business practices but also seamlessly incorporates a host of intricate details. These include day-to-day management of data breaches, third-party risks, records of processing activities, legitimate interest assessment, data protection impact assessment, international data transfers, employee training, and a periodic compliance monitoring programme. To find out more about how we can help your organisation meet GDPR requirements, please click the link below. If you need personal assistance or have more questions, please feel free to contact us.
To find out more, click on the link below.
[1]gdpr-info.eu/art-25-gdpr/
[2]gdpr-info.eu/art-32-gdpr/
[3] https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/how-can-i-demonstrate-my-organisation-compliant-gdpr_en
[4] European Data Protection Law and Practice, second edition (April 2019)
[5] Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 2.1 (adopted 07 July 2021)