The principle of accountability in the GDPR requires you to take responsibility for how you process personal data. You must also make sure that your company complies with other principles. Furthermore, the principle includes an obligation to demonstrate compliance, meaning that companies must have documented procedures and routines in place.

Reading time: 2,5 minutes.

Written procedures and management documents showing accountability

To be compliant with the GDPR, companies need documentation of various kinds. Companies should have written procedures and management documents, including a documented decision-making process to ensure traceability. Examples might be an internal privacy policy or a procedure for data minimisation. Other relevant documents might include a procedure for complying with data subjects’ rights and rules for the use of work phones. A routine for conducting impact assessments is another document that could be necessary.

The purpose of such documentation is to demonstrate compliance. It is also a good way to establish the company’s view on these issues.

Compliance routines and policies need to be practised

Companies need to ensure that their compliance routines and policies are enforceable. Furthermore, employees need information about the rules and procedures in place. They must also receive training on the subject of complying with the principle of accountability in the GDPR. It is also necessary to have control functions, such as initiating interviews with employees. You should divide the responsibility for data protection issues within the company, for example by having a data protection officer who is independent of management. By doing this, you avoid conflicts of interest.

Maintaining electronic records of processing activities

Article 30 of the GDPR requires that electronic records be kept of processing activities. This obligation applies to both controllers and processors and ensures traceability. The obligation to keep records does not apply to companies with fewer than 250 employees, unless any of the following apply:

  • the processing is not temporary
  • the processing is likely to result in a risk to the rights and freedoms of data subjects
  • the processing includes special categories of data (sensitive personal data), such as personal data revealing political opinions or religious/philosophical beliefs
  • the processing includes personal data relating to criminal convictions and offences.

This means that most companies need to establish and maintain such records.

Checklist for controllers

As a minimum requirement, the record of processing activities needs to contain the following:

  • Name and contact details of the controller and the controller’s representative, and the name and contact details of the data protection officer
  • Purposes of the processing
  • A description of the categories of data subjects and categories of personal data
  • Categories of recipients to whom the controller discloses personal data
  • If applicable, records of any transfers of personal data to another country, or to an international organisation
  • If possible, the envisaged time limits for erasure
  • If possible, a general description of the technical and organisational security measures in place.

Checklist for processors

As a minimum requirement, the record of processing activities needs to contain the following information:

  • Name and contact details of the data processor or processors. Also, the name and contact details of each controller on behalf of which the processor is acting. If applicable, the names and contact details of the controller’s or the processor’s representative, and of the data protection officer
  • Categories of processing carried out on behalf of each controller
  • If applicable, transfers of personal data to another country, or to an international organisation
  • If possible, a general description of the technical and organisational security measures in place.

Companies need to show these records at the request of the supervisory authority.