Are you meeting the GDPR Accountability principle?

Are you meeting the GDPR Accountability principle?

Meeting the General Data Protection Regulation (GDPR) requirements isn’t a one-off ‘set and forget’ activity. Ongoing work is needed to ensure the requirements continue to met, this is covered by the Accountability principle in Article 5. It states that the controller “shall be responsible for, and be able to demonstrate compliance with, paragraph 1”; and paragraph 1 has the other principles. These can be summarised as:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  • accurate and, where necessary, kept up to date (‘accuracy’)
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’)
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

An effective way of checking Accountability is to perform audits and produce an action plan to address any gaps. This will be no surprise to companies that have ISO27001 certification and run an audit programme to check the requirements of that standard continue to be met as a business and external factors change; adding additional checks for GDPR, and for Data Protection Act 2018 (DPA2108) requirements should not be difficult.

So what needs to audited? There isn’t a fixed list of items as each company will have their own approach to the GDPR based on the personal data they process and how they operate. The following can act as a starting point, add other items as necessary and remove any that are not applicable.

Governance

  • Clear ownership of data protection issues at senior management level
  • Data Protection Officer in place and has the necessary knowledge and reporting structure. If a DPO is not required, the reason for not having one is documented
  • Summary of data privacy issues, including best practice and other relevant updates from the ICO, are produced for board meetings
  • Maintain an organisational risk assessment that includes data protection risks
  • Maintain a privacy strategy and/or policy

Personal Data inventory and associated records

  • Maintain Records of Processing Activities that meet the GDPR Article 30 and DPA2018 requirements
  • Maintain records of consent
  • Maintain Legitimate Interest Assessments

Transparency

  • Privacy policy available to staff and externally, e.g. on website. The policy should be about transparency, the lawful processing of personal data and the rights of data subjects rather than a list of measures to protect personal data
  • Paper forms collecting personal data have appropriate details about privacy and rights (or where to access them)

Data Protection by Design and Default & Supply Chain

  • Data Protection Impact Assessment template available
  • Data Protection Impact Assessments done when this is a requirement
  • Contracts/T&Cs with data processors and suppliers meet GDPR requirements
  • Maintain policies/procedures covering risk management of new work – projects or R&D – involving personal data, use of CCTV, profiling, secondary use of personal data and obtaining valid consent. Evidence that the policies/procedures are being used

Training and Awareness

  • Do data privacy training and maintain records showing when this has been done
  • Maintain schedule for future data privacy training

Retention

  • Personal data retained in line with the retention period defined in the Records of Processing Activities or Retention Policy. Includes personal data in emails and collected on websites

Organisational measures including policies

  • Maintain Information Security (or similar) policy
  • Maintain policy and procedure for de-identification of personal data (anonymization and pseudonymisation)
  • Maintain Acceptable Use policy
  • Maintain a Bring Your Own Device policy
  • Maintain HR policies and document covering data protection and individual responsibilities
  • Maintain Incident Management policy that includes reporting of applicable incidents & the policy has been tested
  • Maintain Business Continuity/Disaster Recovery plan & the plan has been tested
  • Maintain policies/procedures to review processing conducted wholly or partially by automated means
  • Maintain policies for use of personal data in marketing
  • Maintain policies to allow data subjects to exercise all their rights; Subject Access Request, Rectification etc. Tracking when data subjects wan to exercise their rights and the time taken to respond
  • Maintain good Physical Security

Technical measures

  • Maintain a secure internet connection and have a business case for every open port on the firewall
  • Run a vulnerability scan (or penetration test) against all externally facing IP addresses
  • Secure devices and software – use software firewalls, enable encryption on devices, use strong passwords
  • Patching – all high-risk or critical security updates for operating systems, firmware and applications are installed within 14 days of release
  • Access Controls – maintain and use process/checklist for starters, people moving roles and leavers, enable multi-factor authentication when this available
  • Protect from viruses and other malware – maintain anti-malware software on all devices where this is allowed, do automatic scan of web pages and warn about malicious websites
  • Backups – maintain a backup process and do restore checks on a regular basis
  • Personal data is made anonymous or pseudonymisation is done when this is appropriate to secure it
  • Logs of activities around access to and updates of personal data are available and are audited to look for suspicious activity

Get in touch if you want advice about GDPR Accountability or want us to do an audit for you.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462