In Understanding data protection: the EU regulation in a nutshell above, full accountability of controllers was stated as the first of several measures taken by the GDPR to limit the power gained by the controller through processing and balance it with the power of data subjects. See Controllers are fully accountable for detail.
The GDPR defines the principle as follows:
Definition in Art.5(2) GDPR:
The controller shall be responsible for, and be able to demonstratecompliance with, paragraph 1 (‘accountability’). |
Paragraph 1 here refers to the principles that were discussed in the six previous sections, namely
- Lawfulness, fairness and transparency;
- Purpose limitation;
- Data minimization;
- Accuracy;
- Storage limitation; and
- Integrity and confidentiality.
To rephrase Art. 5(2), a controller is fully responsible for two things:
- Compliance with these six principles,
- Demonstrating compliance.
Accountability is thus not a new principle that controllers need to comply with, but it instructs controllers how the six principles must be applied.
Note that having to be able to demonstrate compliance is a big step beyond just having to comply. In particular, it puts the “burden of proof” on the controller; a controller who is unable or unwilling to demonstrate compliance, is in violation of the GDPR.
What does it mean to comply?
While Art. 5(2) only speaks of compliance with the six principles, in fact it must be extended to the whole GDPR. This is motivated by the fact that all the other articles are intended to provide detail to the principles or describe in more detail how they have to be implemented.
There is one way stated all over the GDPR about how compliance has to be achieved; namely, through the implementation of technical or organizational measures. In Art. 24 which describes the obligations of a controller, the first paragraph explicitly states that this is how controllers comply (and demonstrate compliance) with the GDPR; Art. 25(1) states that data protection by design boils down to implementing such measures throughout the life cycle of the processing activity; Art 25(2) similarly emphazises the use of such measures for data protection by default; Art. 28(1) states that also processors much implement such measures; Art. 32 states that also compliance with security requirements is achieved through the implementation of such measures; and Art. 89(1) states that the safeguards necessary for the “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” ensure that such measures are in place.
Since technical and organizational measures are so central to achieve compliance, the discussion of every of the six principles above ended with examples of such measures.
Compliance with data protection requirements can be seen as a process. Following the concept of data protection by design (see Art. 25(1) GDPR), in every life-cycle phase of the processing activity, the risks to the rights and freedoms of natural persons are assessed and appropriate mitigation measures implemented. The GDPR uses a very broad definition of the term technical and organizational measures. It basically includes everything a controller does to comply with the GDPR. Therefore, even the above mentioned assessment step can be considered to be a measure in itself.
What does it mean to demonstrate compliance?
Considering that compliance is achieved through the implementation of appropriate measures, it is not surprising that the demonstration of compliance documents such measures.
This is evident, for example, from Art. 30(1)(g) that mandates to list the measures pertinent to security in the records of processing. It is also central in Art. 35 on the Data Protection Impact Assessment which is arguably the main tool foreseen by the GDPR for demonstrating compliance. In particular, Art. 35(7)(d) asks controllers to declare the measures they implemented to ensure the protection of personal data and to demonstrate compliance with the GDPR.
A more detailed discussion of Documentation of Processing in general, and Data Protection Impact Assessments in particular, can be found in the Chapter Actions and Tools below. Both these sections further emphasize the importance of technical and organizational measures.
Economy of scale for compliance and its demonstration
As argued above, compliance is achieved by implementing technical and organizational measures. It is evident from the discussion above that compliance may require a significant number of such measures. This can render it more difficult to assess the actual protection offered by these measures and whether this protection is applied uniformly and consistently.
To mitigate this difficulty, the GDPR offers some kinds of “abstraction mechanisms” that permit to consider a set of related measures as a single unit. In particular, the GDPR foresees two such mechanisms in its Art. 24 that describes the “Responsibility of the controller”:
- Data protection policies (see Art. 24(2) GDPR), and
- approved codes of conduct (see Art. 24(3) and 40).
A data protection policy is a mechanism to render the application of measures systematic. This guarantees a uniform and consistent set of measures in similar situations. For example, instead of having to assess which security measures are appropriate for each of many highly similar servers, a single policy can be written once and applied to all servers. Evidently, particularly in complex and extensive processing operations, this brings a potentially very significant economy of scale which can even span multiple independent processing activities of the same controller.
The mechanism of approved codes of conduct extends this economy of scale beyond a single controller to an entire processing sector. These codes of conduct are prepared by associations and other bodies representing categories of controllers or processors (see Art. 40(2) GDPR). Where a code of conduct does not relate to processing activities in several Member States, the competent supervisory authority can approve it (see Art. 40(5) GDPR) and subsequently register and publish it (see Art. 40(6) GDPR). Where a draft code of conduct relates to processing activities in several Member States, a similar process is used that involves the European Data Protection Board (see Art. 40(7) GDPR). Codes of conduct evidently provide also an economy of scale to supervisory authorities who have to monitor compliance with the GDPR.
Both, approved codes of conduct andcertification (according to Art. 42 GDPR) can help controllers in the demonstration of compliance (see Art. 24(3) GDPR).