Unravelling the GDPR 'accountability' principle
Rachel Ashwood and Razia Begum,
October 09, 2017
Accountability is a key principle under the GDPR. However, there is little official guidance as to what it means in practice
The notion of accountability is not new. Accountability was introduced as a basic data protection principle in the 1980s. This used to be a reactive assignment of responsibility for privacy compliance. However, under the GDPR application of the principle will require a systematic and proactive approach to all personal data collection and handling processes throughout the entire business. Importantly, businesses will need to demonstrate compliance (through documentation, policies and keeping a paper trail) with their obligations under the GDPR to satisfy the principle, rather than carry out a tick box exercise… and to prepare itself in the event of an audit by the authorities.
Accountability in practice
Individual application of the accountability principle by businesses will depend on a range of factors including the nature, scope, context and purpose of the processing, as well as rights and freedoms of individuals.
The accountability principle mandates that the more likely and severe the risks are associated with the data processing in question, the greater the measures that should be in place to counteract them. Factors that constitute risky processing include, but are not limited to, circumstances: that may give rise to discrimination, identity theft or fraudthat may cause reputational damage or any other economic/social disadvantagewhen the data is sensitive and/or in large quantities.
In practice, there are various required steps relating to HR/employer data as part of any broader compliance programme: If you have not already done so, begin the process of GDPR compliance by alerting board-level members of your organisation as to the changes and their impact on the business. Buy-in at the top is essential, as well as putting training programmes in place for all employees to ensure that everyone knows and understands the changes.Consider the time, resource and money required to demonstrate your compliance and appoint, where necessary, a data protection officer or privacy champion of some kind to lead and oversee ongoing compliance.Understand what information you hold by mapping out or auditing the data records, documentation, processes, systems and requirements of your organisation, including the types of employee/applicant/HR data you hold and how it is obtained, stored and handled. Consider any remedial follow-up action to achieve compliance, including minimising processing of employee data where possible or having in place employee data policies to help enforce compliance. Inform employees. The GDPR requires significantly more information to be given to employees from the outset as to what the data will be used for. This includes providing details of the who, what, why and when of processing, and informing employees of their right to object, restrict processing or have data erased in certain circumstances. This will require you to issue meaningful privacy notices to employees.Carry out privacy impact assessments for 'high risk' processing of employee data. Ensure that you can justify this so-called risky processing.Ensure that records of your HR data processing activity are kept and regularly reviewed and updated as required. Compliance must be demonstrable between data controllers and data processors as well as to supervisory authorities. For this reason, review contracts with your processors and suppliers (such as with your payroll provider) to ensure that they are also compliant. Otherwise you may also be liable.
Like it or loathe it, the GDPR will provide an opportunity to educate and refresh all personnel and to rethink, refresh and reorganise your HR systems, processes and documentation. Given the heightened level of global attention from authorities and the media on data breaches, the GDPR will evoke a cultural shift from boardroom to basement. Be the ambassador for your organisation rather than a bystander.
Rachel Ashwood is senior counsel in the employment team and Razia Begum is an employment lawyer at Taylor Vinters