Accountability and governance

  • Accountability is one of the data protection principles – it makes you responsible for complying with the UK GDPR and says that you must be able to demonstrate your compliance.
  • You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
  • There are a number of measures that you can, and in some cases must, take including:
    • adopting and implementing data protection policies;
    • taking a ‘data protection by design and default’ approach;
    • putting written contracts in place with organisations that process personal data on your behalf;
    • maintaining documentation of your processing activities;
    • implementing appropriate security measures;
    • recording and, where necessary, reporting personal data breaches;
    • carrying out data protection impact assessments for uses of personal data that are likely to result in
    • high risk to individuals’ interests;
    • appointing a data protection officer; and
    • adhering to relevant codes of conduct and signing up to certification schemes.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
  • If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
  • Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.