🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: Understanding everything about accountability

Home GDPR: Understanding everything about accountability

When it comes to GDPR, you often hear about the principle of accountability. This term may seem complex, it is a notion that seems rather vague... Accountability literally translates into French as responsibility, in other words it is accountability.

But what does accountability mean within the meaning of the General Data Protection Regulation (GDPR)??

Sit comfortably with your tea and we'll explain everything to you in 5 minutes! ☕️

The response to the survey Does the principle of accountability aim to make data processing stakeholders responsible? "

To introduce the subject, we offered you a survey on March 8 on our LinkedIn page, by asking you if the principle of accountability aims to make data processing stakeholders responsible Well done! Out of 109 voters, 97% of you have "Yes ✅". Indeed, this principle makes it possible to make data processing stakeholders responsible.

Understand the principle of accountability

According to the GDPR, the principle of accountability obliges data processing actors:

  • To implement all necessary measures to ensure their compliance,
  • And demonstrate that these measures are effective.

To do this, you must keep and update all your documentation. It constitutes proof of the efforts undertaken to ensure compliance.

This principle modifies the logic of a priori control which existed in France under the Data Protection Act (prior to the GDPR). According to this logic, companies had to declare their treatments beforehand and the supervisory authority validates them before they were implemented (there was a system of exemptions for the most common treatments). From now on, prior authorization procedures have almost disappeared to make way for an a posteriori control system. The GDPR gives the Data Controller great freedom in how to implement its compliance. In return, he must be able, particularly in the event of an inspection, to justify and demonstrate the relevance and effectiveness of his choices.?

What measures should be implemented to respect the principle of accountability?

GDPR compliance requires measures to be adopted and respected within businesses. These measures must be proportionate:

  • The reality of your business (its size, the human and financial resources available to you, your level of maturity, etc.),
  • As well as the risks that data processing represents with regard to the rights and freedoms of individuals.

As explained previously, accountability assumes not only that these measures are adopted but also that their implementation is documented and effective. Among these measures you will find:

1. The creation of policies relating to the protection of personal data?

That is to say, write down all the obligations and procedures that processing actors must respect to protect people's data. This may be an internal personal data protection policy or a data retention policy for example. These policies guarantee uniform application of personal data protection rules, by providing instructions to those involved in the processing.

2. Respect for Privacy by design and Privacy by default?‍?

This is a principle of the GDPR according to which organizations have the obligation:

  • To take into account the protection of personal data when designing new processing,
  • And apply the highest level of data protection by default.

To find out more, you can see our article: GDPR: How to implement privacy by default and privacy by design? ". The measures taken to respect this principle must be documented.

3. Implementing appropriate security measures?

The GDPR states that "technical and organizational measures are essential to manage risks". To find out more about this measure, you can read our article on the security principle: "GDPR: understanding everything about the security principle". To reference these measures, in the event of an inspection but also for your internal use, you can create a personal data security policy.

4. Recording and reporting data breaches?‍♂️

It is strongly recommended to keep a record of security incidents. At the same time, you must assess the seriousness of the incident and determine whether:

  • Simply mentioning it in your incident register is enough
  • The seriousness of the violation requires that the CNIL be notified (within 72 hours after becoming aware of the data breach),
  • The violation is so serious that the people concerned must be notified, as well as the CNIL.

Check out our article to learn more about data breaches:?
https://www.datacomplyone.eu/violation-de-donnees-et-rgpd/

5. Carrying out data protection impact assessments?

Impact analysis (or PIA or AIPD) is a process that helps organizations identify and measure the risks posed by the processing of personal data, in order to anticipate and reduce them. This analysis must be carried out whenever data processing is likely to result in a high risk for the rights and freedoms of individuals. To find out more, you can read our article: "How to create a PIA? The essential points. The impact analysis demonstrates that you are concerned about the impact of data processing on the rights and freedoms of individuals. This document may be presented during a CNIL inspection.

An example of a sanction based in part on non-compliance with the principle of accountability?

On May 2, 2021 Datatilsynet (the equivalent of the CNIL in Norway) imposed a preliminary fine of 2.5 million euros on the American company Disqus Inc. The Norwegian supervisory authority relied on the following breaches: non-compliance with the principle of accountability, lawfulness of processing and transparency.

Disqus is a plug-in used by several Norwegian online newspapers. It allows readers to leave public comments below published articles and provides moderation tools for online editors. The company uses cookies to track users browsing the relevant sites and resells this data to advertising partners as well as its parent company. The supervisory authority concludes that Disqus carries out unlawful user tracking and profiling processing for advertising purposes. Furthermore, users of the websites are not informed of this data processing.

The company in question defended itself by mentioning that it is unaware that the GDPR applies in Norway and for its activities. After ruling on the territorial and material application of the GDPR, Datatilsynet notes that companies must above all consider the applicability of the Regulation to their processing. It concludes that the general obligation of accountability was not respected by Disqus, which did not document its reflection process on the matter.

How to do it concretely?

This principle is still not clear to you? Don't know where to start? Are you short on time?

✅ Data Comply One (formerly Mission RGPD) allows you to guarantee the principle of accountability by maintaining traceability and a history over time of all GDPR compliance processes. You concentrate everything you need in one place. You can submit all the necessary supporting documents as an attachment, use our models and our documentary space to create your own documentation to share with your colleagues.

Be sure to always have the necessary documents available to prove your compliance.

With Data Comply One (formerly Mission RGPD), you can simply comply and manage it with complete peace of mind. The safety of your treatments will no longer be a problem.

Don't waste any more time, it's so simple!

Request a demo
Other articles
on the same subject