Alan Ballany
Written by

Accountability means organisations must establish a system of proactive data protection measures. Responsibility clearly falls on the organisation to ensure compliance occurs.

In May 2018, the General Data Protection Regulation (GDPR) will become enforceable across the whole of the European Union. As part of our GDPR explainer series, we’re looking into the areas of the new set of laws that you most need to know about, and the actions you need to take to ensure you and your organisation are compliant.

In this part: accountability.

Accountability in data protection

Accountability clauses have been involved in data protection regulations for many decades now. Previously, they governed who was responsible for complying with data regulations and thus who was to blame if compliance had not occurred. In the new legislation, the accountability clauses mean organisations should create a proactive system. Responsibility clearly falls on the organisation to have measures in place to ensure compliance.

There’s some good further reading available here from legal firm Baker & McKenzie.

What you need to do

The Information Commissioner’s Office (ICO), the UK body responsible for enforcing the GDPR, lists these following measures that companies and organisations who process personal data, where possible, should take to demonstrate their compliance with the legislation:

  • Implement internal policies that demonstrate your compliance, such as staff training, internal audits of processing activities and reviews of internal HR policies.
  • Maintain comprehensive documents of processing activities. Essentially, everything your organisation does in relation to data collection and processing must be carefully documented. This article explains in further detail exactly what to record and how to go about doing it.
  • Appoint a Data Protection Officer (DPO) where possible.
  • Implement measures such as data minimisation (which basically means you shouldn’t collect or hold more information than you need) and anonymisation that meet data protection principles.

For cultural organisations, this means making sure all staff are aware of what data you really need to collect in the first instance, as well as how and where that data is kept and organised, ideally under the direction of an appointed Data Protection Officer.

For more information on these measures, and whether or not they apply to your information, consult the ICO guidelines here, or get in touch with Culture Republic, and we’d be glad to offer our full help and support.