Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Future-Proofing Privacy: The New Accountability Regime

02299 EU Data Protection Regulation Blog Image 02TE7Background of the notion of accountability

Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”.

Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

In 2010, the Article 29 Working Party issued an Opinion on the principle of accountability where it put forward a concrete proposal for adding a principle of accountability so data controllers “put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with and to demonstrate so to supervisory authorities upon request”. According to the Article 29 Working Party, the accountability principle “should contribute to moving data protection from ‘theory to practice’ as well as helping data protection authorities in their supervision and enforcement tasks”.

From a national standpoint, in January 2015, the French DPA, the CNIL, issued an accountability standard. The CNIL’s accountability standard is divided into 25 requirements relating to the existence of both an internal privacy policy and an outward-facing privacy policy as well as the appointment of a data protection officer. Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.

Accountability in the Data Protection Directive

Although the Data Protection Directive does not specifically refer to the term “accountability”, a number of its provisions set a basis for accountability:

  • Data controllers must ensure compliance with the main principles relating to data quality
  • Notification obligations towards the DPAs
  • Duty to implement “appropriate technical and organizational measures” to safeguard and protect data.

Need for specific provisions relating to accountability

Specifically referring to accountability in the Regulation will ensure in a more effective manner that data controllers comply with their obligations. As mentioned by the Article 29 Working Party, to ensure the effectiveness of the provisions of Directive 95/46/ EC, it would be necessary to fully integrate the data protection principles in the data controller’s “shared values and practice”.

In addition, the increased risks presented by big data, increased transfer and centralisation of data, and the rise in cybercrime mean accountability is more important for data controllers to show that they use privacy as a positive safeguard, helping them to regain the trust of their customers.

What does the Regulation require for accountability?

The notion of accountability is introduced by Article 5 as follows: “the controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (“accountability”)”. The Paragraph 1 to which it refers lists six general principles relating to the processing of data, principles which are already familiar from the Data Protection Directive. Accountability, within the meaning of the Regulation, is a situation where a company is able to demonstrate that it acts in compliance with the principles of the Regulation.

Article 22.1 relating to the Responsibility of the controller expands on the concept introduced by Article 5, providing that:

“Taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation. These measures shall be reviewed and updated where necessary”.

More specific obligations which contribute to accountability are set out in other articles. They include the following elements:

  • Implementation of appropriate data protection policies and measures to ensure that an organisation’s processing of personal data complies with the Regulation
  • Adherence to approved codes of conduct or an approved certification mechanism. These are not mandatory but are suggested as a way that controllers can demonstrate that they are complying with their obligations under the Regulation
  • Adoption of measures, such as an internal or external audit process, to demonstrate that an organisation’s processing of personal data complies with the Regulation
  • Implementation of technical and organizational methods to protect data against unauthorized or unlawful processing
  • Keeping records of the processing of personal data which the organization carries out. The level of detail required is not yet settled, but it is likely that it will be similar to that currently required for data protection registrations in many Member States at present, for example, the purposes of processing, the categories of data subjects and data, the recipients or categories of recipients of data and, if possible, the time limits for deletion of the different categories of data
  • Carrying out data protection impact assessments for operations which present specific risks to individuals due to the nature or scope of the processing operation
  • Appointment of an independent data protection officer (DPO). Appointing a DPO is only mandatory in certain cases, in particular where sensitive data are being processed. The role of the DPO is critical for accountability. The DPO should be selected for his or her expertise, and reports to the highest level of the company’s management. The DPO is required to inform the controller of its obligations under the Regulation, and to monitor the implementation and application of the controller’s policies in relation to personal data. DPOs must be involved in all issues raised by the protection of personal data within a company, in particular by organizing training and a network of persons aware of the data protection issues within the company. They also act as a point of contact for supervisory authorities and must cooperate with the latter.

How can businesses start to prepare?

It is likely that the DPAs will provide further details of what they expect in this area. Indeed, as mentioned above, the CNIL has already done so. Pending agreement on a common approach what can businesses be doing to prepare now?

The key concept to keep in mind is that this is about embedding privacy in the organization. Many organizations have internal privacy policies which set out the principles to which the organization will adhere, but implementation goes little further than posting the policy on the intranet. As the Article 29 Working Party memorably put it in its 2009 paper on “The Future of Privacy”, the principles and obligations “should permeate the cultural fabric of organisations, at all levels, rather than being thought of as a series of legal requirements to be ticked off by the legal department.” Companies need to be thinking not only about what compliance requires but how to communicate that throughout the organization.

Steps which you can take at this stage to help plan your approach to accountability include:

  • Identify and review all your existing policies to see what your current state is. This may go far wider than privacy policies, to encompass IT and security policies, protection of information assets, use of electronic communications and monitoring
  • An effective accountability programme needs support from senior levels of the organization. Start identifying key stakeholders who may be able and willing to provide this
  • Appoint a DPO if you are required to have one
  • Identify where data is processed within your organization from both a functional and a geographical perspective. Remember to include third party processors
  • Do a gap analysis of what processes you have in place for handling new and existing data protection obligations. For example is there a clear process for handling requests for data subjects in relation to their data?
  • Identify who the key actors are in relation to data processing so that you can involve them in developing processes
  • Consider whether you have existing audit processes within the organization which you can leverage to monitor compliance in this area.

What to do now

  • Identify your current state: review all relevant existing policies, and identify where data is processed within your organisation from both a functional and a geographical perspective.
  • Do a gap analysis of what processes you have in place for handling new and existing data protection obligations.
  • Identify key actors in relation to data processing so that you can involve them in developing new processes.
  • Identify key senior stakeholders to support your accountability programme.

This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.