The European General Data Protection Regulation (GDPR) has now been in force for over two years. In this series of articles we look at some of the topics where practice and guidance has evolved since May 2018. We also look at the steps that organizations should be taking now in light of what we have learned. In this article we cover the requirements around demonstrating accountability and how these have evolved in practice.
What does the GDPR say about demonstrating accountability?
The GDPR places strong emphasis on the principle of accountability, which requires organizations not only to act in a compliant way, but also to record and demonstrate their compliance through written assessments, policies and documentation.
As well as a general requirement to be able to demonstrate compliance with the principles of the GDPR, there are specific requirements to:
- maintain a record of processing activities;
- document personal data breaches;
- carry out data protection impact assessments;
- implement organizational measures to ensure compliance; and
- document relationships with processors, sub-processors and joint controllers.
What issues have we seen?
In the run up to GDPR coming into effect, our expectation of what would be needed to demonstrate accountability was mostly focussed on specific key documentation. This included external and internal facing privacy policies and guidance on how to address key issues under GDPR, such as good data handling processes, security, data breaches and managing subject access requests.
Over the last few years, it has become clear that data protection regulators are expecting more detailed documentation on a range of topics to be in place. This is particularly important in some circumstances, including when decisions are made around whether legitimate interests is an appropriate basis for processing, or whether two organisations are sole or joint controllers; or where a product with potentially invasive uses of data is being considered. In proceedings brought by regulators, the accountability principle has often been invoked to shift the burden of proof for GDPR compliance to the data controller, leading to the risk of higher fines if a controller cannot provide sufficiently detailed documentation.
As a result we have recommended that companies take additional steps to document challenging compliance areas where there is a risk that a regulator could ask the company to justify its position later. Mark Taylor, Partner in Osborne Clarke's London office explains that "given regulators' expectations, it is important for companies to recognise the most important situations where documentation is needed and to ensure that the relevant documents are complete and kept up to date".
For many companies, the requirement to demonstrate accountability, for example by carrying out a privacy impact assessment, has been driven not only by the threat of enforcement activity, but also by the behaviour of potential and existing customers,. Those customers may be looking to their vendors to help them document privacy impact assessments, in order to minimise data privacy risks in relation to their products.
What should organisations be doing now?
Given how this topic has evolved, now is a good time to take the following actions:
1. Check that your organization has appropriate core documentation in place. At the very least, there should be detailed and up-to-date internal and external privacy statements. These should be backed up by evidence that issues were considered and then decisions made on the basis of the relevant GDPR requirement. These documents should also be accompanied by appropriate guidance. For example, if your company is relying on legitimate interests as a basis for processing in more borderline cases, ensure that the assessments of legitimate interests is contained in a separate document. This is also a good opportunity to check that those who regularly refer to any guidance documents find them helpful and that they contain the right level of detail and reflect any learnings or improvements.
2. Test out how easy it is to access and produce key documentation. With regulators becoming more interested in seeing accountability documentation, check that it is easy to find and provide that information. Since several years have passed and personnel may have left the company, it could take longer to locate documentation when requested by regulators. Emily Jones, Partner and Head of Osborne Clarke's offices in Silicon Valley highlights that "taking a long time to produce incomplete or old versions of documents can paint a negative picture of a company's approach to compliance generally, which will be unhelpful in the context of any investigations or complaints". A simple, central repository for all the relevant documentation can help with this aspect.
3. Build a requirement to consider and document data privacy impact assessments (DPIA) into your internal processes. Ensure that a DPIA is considered at the right time before a decision is made to implement a new process, appoint a new vendor or implement a change to a product or service that could impact on privacy. The key here is to use an easily accessible template with helpful guidance. Requiring the assessment to be reviewed and signed off by the legal or compliance team before the project can continue to the next phase can be a good way of ensuring that this step is taken in practice.
If you have any questions about the contents of this Insight, please get in touch with one of our experts.