It has been a while since the GDPR came into our lives (well, some of us considerably longer) and organisations are starting to get to grips with the concept of the new law. Although, many organisations seem to have a basic grasp of the principles, one that is often overlooked is the accountability principle, which really is paramount to you as a business.
Speaking at the 17th Annual Data Protection Practical Compliance Conference, James Dipple-Johnstone, the ICO’s Deputy Commissioner of Operations warned organisations:
If you want to keep the ICO from your door, don’t underestimate the importance of transparency and accountability.
So, what does this principle mean? In short, it means “prove it”. Prove that your organisation complies with the GDPR. It is not good enough to simply say that you do. For example, you have to demonstrate that you:
- have appropriate policies and procedures in place
- that you provide training to your staff
- that you have GDPR compliant written contracts in place with processors and joint controllers and that you carry out Data Protection Impact Assessments
- if you wish to introduce a change to how you deal with personal information, which is likely to result in a high risk to individuals’ interests.
In other words, you need to put in place appropriate technical and organisational measures to meet the requirements of the new law AND demonstrate that you have done this i.e. you have to prove your compliance.