The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
We are expected to put into place comprehensive but proportionate governance measures. Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data.
The accountability principle in Article 5(2) requires us to demonstrate that we comply with the principles and states explicitly that this is our responsibility.
This means that we must:
- implement appropriate technical and organisational measures that ensure and demonstrate that we comply;
- maintain relevant documentation on processing activities;
- implement measures that meet the principles of privacy by design and default, such as:
- data minimisation;
- pseudonymisation;
- transparency;
- allowing individuals to monitor processing; and
- creating and improving security features on an ongoing basis.
- use data protection impact assessments where appropriate.
What are STMCC doing to demonstrate accountability?
- Nominated “Data Protection Persons” in each area are being asked to collate the required information so that the Centre can demonstrate its compliance with GDPR and identify areas where remedial action is required.
- Recording all data security breaches.