Bud P. Bruegger (ULD)
|Acknowledgements: The author thankfully acknowledges the contribution by Johann Čas and Walter Peissl (both OEAW) who wrote an analysis of this principle as input to the here presented description.|
The following discusses the principle of accountability that is defined in Art. 5(2) GDPR.
Accountability at a glance:
Accountability consists of two requirements for controllers:
Compliance is achieved by implementing technical and organizational measures that are adequate compared to the risks to the rights and freedoms of data subjects, correspond to the state of the art of technology, and are cost-effective. Every description of the principles has provided examples of such technical and organizational measures. For a systematic application of these measures, controllers can create data protection policies. Approved codes of conduct, where available, are similar but are pre-approved and usually address an entire sector. Compliance is not a state that is reached once, but a continuous process that spans the whole life cycle of a processing activity.
Demonstration of compliance is predominantly achieved by documentation (see the section Documentation of Processing in Main Actions and Tools). Documentation should be continuous like the process of compliance. Every implemented measure, including data-protection-relevant considerations and decisions, should be documented. The GDPR requires two formal documents as part of demonstrating compliance towards supervisory authorities: the register of processing (see Documentation of Processing for detail) and, where the risks are likely to be high, a data protection impact assessement (see the section with the same name in Main Actions and Tools for detail). Certification can support the demonstration of compliance.