The GDPR is set to bring in strict accountability regulations in May 2018 in a bid to tighten processes, create direct reporting lines and eliminate finger pointing.
It has been a little on the sidelines of current data protection laws but the new regulations look to make accountability a formal requirement.
But, what is accountability? What do we need to do to tick the accountability box? And, where do we start?
We’ve answered some basic questions to get the ball rolling.
Q1. What is meant by accountability?
Straight from the words of the English dictionary, to be accountable is to:
“Be completely responsible for what one does, and one must be able to give a satisfactory reason for it.”
And this doesn’t sway too much from the new regulations. Businesses must demonstrate compliance, provide reasoning for the processes they have in place and take full responsibility for the data they have and the method in which they obtain and manage it.
This includes both processors and controllers, so those in charge of the data and those using the data, including all third party users.
Q2. What do we need to do right now?
There are a few things to consider before putting processes for accountability in place.
Here are three things you should consider right now:
- Who oversees data protection now?
- What responsibilities need to be set out for each department?
- Do we need a main point of contact?
The GDPR will be making it obligatory for some businesses to enrol a central point of contact know as a DPO (Data Protection Officer). Generally speaking, DPOs will be required for; public bodies, processors of sensitive information and ‘big data’ companies, but, you might want to consider whether your organisation might need one, just to be on the safe side.
Q3. Where do we start?
Like in Q2, begin to decide if you need or want a DPO. If you choose to appoint a DPO voluntarily there are a couple of extra things you will need to consider:
- They’re going to need to have employment protections put in place
- They need to operate with independence
- They may need certifications in the future (it’s not mandatory at the moment, but we could see new regulations requiring DPOs to have EU-wide certifications)
- Think of confidentiality and conflict of interest issues (i.e. will their current role affect their role as DPO?)
Regardless of whether you will appoint a DPO or not, someone needs to be responsible for waving the GDPR flag in front of internal stakeholders faces. Put someone in charge of keeping the GDPR train on track.
Begin an audit of the data you have, where it is and who has access to it. It’ll give you an idea of the work that will need to be done in the coming months!
Hopefully, this will give you a general and brief background to accountability within the GDPR and what you will need to consider.
Database Management by Sonnet: Find out more