Measures pertinent to accountability address how to go about compliance and its demonstration, rather than what needs to be done to comply.
The following “meta” measures address ways of achieving compliance:
- Data protection by design and default (see Art. 25 GDPR),
- The Data protection impact assessment (see Art. 35 GDPR) in its function as a continuous process that guides the controller in assessing the risks and to identify appropriate technical and organizational measures for their mitigation.
- The creation and application of data protection policies (see Art. 24(2) GDPR).
- The adherence to approved codes of conduct (see Art. 24(3) GDPR).
- The adherence to approved certification mechanisms (see Art. 24(3) GDPR).
The following “meta” measures address ways of documenting compliance:
- The data protection impact assessment (see Art. 35 GDPR) in its function as a report. Where the risk is not likely to be high and such an impact assessment is therefore not required, the documentation of how this risk estimate was established should be documented (see section on Data Protection Impact Assessment in Main Actions and Tools for detail).
- The records of processing (see Art. 30 GDPR).