Compliance with the GDPR is seemingly not easy. Various interpretations of the rules by different types of advisors from lawyers to compliance consultants to cyber experts means that many firms are probably non-compliant. Over the last year in the UK privacy world, there were 149 enforcement actions from the Information Commissioner Office (the ICO), the UK privacy regulator. This number represents reprimands, monetary penalties, enforcement notices and prosecutions that were enforced in relation to a lack of data security within law firms, unlawful marketing campaigns across various businesses and non-compliance with many aspects of procedures, including Subject Access Requests within the public sector. 95% of the monetary penalties were said not to include any mitigating factors that could affect their severity. This means that firms should be able to improve their chances of avoiding or reducing fines by demonstrating compliance of the whole of the GDPR rules. We believe that too many firms are either focusing on one aspect (having policies in place) at the expense of others (demonstrating actions against the policies).
What we wish to focus on today is one mitigating factor that we believe regulators like to refer to, notably when it comes to reducing some of the monetary penalties, that is compliance with the GDPR principle of accountability.[1] We believe it is of utmost importance that businesses around the globe have a clear understanding of what it means to be accountable under the GDPR. As when we finished doing research in relation to this year’s updates of Leo’s suite of GDPR modules in our RegTech software, we found out that this understanding must be improved.
Do read on if you are a business processing personal data of individuals in the UK or EEA, but even more so if you are in finance and doing business in the UK as the ICO’s new proposed areas of work for 2023-2024 will include the finance and AI industries and its compliance with the privacy regulation as revealed in ICO Audit: Year in Focus 2022-23[i].
What is misunderstood then?
There is a belief that having in place some of the documentation required by the regulation i.e. internal policies and privacy notices will mean compliance; or that appointing some cyber experts to protect from hacking is the job done. Unfortunately, the suite of the required documentation is broader and only part of the rules as is cyber security. To achieve full compliance with the principle of accountability businesses also need to demonstrate adherence to their policies and procedures which should be the embodiment of the six main principles of the GDPR as set out in GDPR Article 5 (1). It is therefore a catch-all. This is the principle that binds all others into one reality and the one to comply with to alleviate future problems.
What do I need to comply with?
The principle of accountability was introduced in 2018 (GDPR Article 5(2)). It aims to ensure that data controllers (we will discuss data processors in our next article, but in brief there are probably no pure data processors as any business with employees for example, will be a controller of the data concerning their employees, so read this as applying to you) will adhere to – and can prove that they adhere to – the criteria set out in Article 5(1), i.e.:
- Lawfulness
- Data processing purpose limitation
- Data minimisation
- Data Accuracy
- Data Storage limitation
- Data Integrity and confidentiality
As Mary Pothos [2], privacy lawyer and contributor to European Data Protection Law and Practice explains, the core elements that help controllers to demonstrate their compliance are:
- Internal data protection policies
- Internal allocation of responsibilities
- Training programmes
- Detailed records of processing activities, and
- Data protection impact assessments.
The benefits of such a framework were echoed by the ICO in the aforementioned report Audit: Year in Focus 2022-23 as it recommended as good practice the implementation of a bespoke central software that allows an organisation to conduct Data Protection Impact Assessments, Legitimate Interest Impact Assessments and other procedures pertinent to the principle of accountability. These, we note, are most probably regular assessments for anyone complying with the GDPR, not just a one off or once a year event.
Following from the above, the GDPR principle of accountability invites written policies and procedures as well as thorough record-keeping for all of an organisation’s privacy efforts. As an example any new process should be subjected to a new impact assessment kept on record and so on … These constitute a privacy governance framework that any business should maintain which also help with compliance of two other GDPR principles: privacy by design and privacy by default. [i] The effort therefore is not wasted and adds further compliance and protection.
How Leo can help
To help organisations to comply with GDPR principles and demonstrate accountability, Leo has created a privacy governance framework that’s grounded in business practices – incorporating day-to-day management of data breaches, third-party risks, records of processing activities, legitimate interest assessment, data protection impact assessment, international data transfers, employee training and periodic compliance monitoring programme.
To find out more, click in the link below.
[1] ‘the general record of the data controller’ is listed as mitigating factor in framework used to guide ICO staff in determining the appropriate amount of a monetary penalty, April 2023
[2] European Data Protection Law and Practice, second edition
