In data privacy matters, “accountability” means an obligation to report and explain, combined with principles of transparency and traceability, with a view to identify and document the measures implemented to comply with data privacy law requirements. It also implies an obligation for the data controller to assume liability and warrant a result, namely the efficacy of the data protection and the verifiability of the measures taken to this end.
Accountability thus implies for the data controller not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to the authorities and/or the data subjects how such compliance is ensured. Laws and other texts will gradually integrate accountability requirements for personal data protection.
As a matter of fact, Article 22 of the draft EU General Data Protection Regulation designed to reform Directive No. 95/46/EC on the protection of personal data requires data controllers to adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the data privacy legislation.
- Applying the accountability principle implies taking a series of actions, including, but not limited to:
- Establish effective procedures to ensure the company’s compliance with data protection legislation;
- Develop a policy for the awareness, information and training of the staff in relation to data privacy issues;
- Conduct a data privacy audit to assess the level of compliance of the processing operations implemented by the company and identify any corrections necessary to fill any compliance gaps;
- Set up a team dedicated to data privacy (data privacy officer, etc.);
- Adopt a Privacy by Design approach;
- Adopt and implement Binding Corporate Rules (BCR) to regulate cross-border data transfers;
- Draft and keep up-to-date relevant documentation on the processing implemented;
- Carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.