Charities and internal investigations
The GDPR has introduced a new accountability principle: the data controller “shall be responsible for, and be able to demonstrate compliance, with” each of the six principles of the GDPR. For a principle summarised in 10 words, there is a significant amount of work required by organisations to ensure accountability. And there may be significant consequences if this work is not undertaken.
In the event of a data protection breach, the Information Commissioners Office (‘ICO’) may request (or potentially compel) evidence of an organisation’s compliance with each of the six principles of the GDPR. In practice, this will mean demonstrating that every aspect of an organisation’s data processing is undertaken in a fair, lawful and transparent way, that data is only kept for as long as necessary and remains secure at all stages of the processing. Even if an organisation complies in every other respect with the principles, if it is not adequately able to demonstrate this compliance, it will be in breach of the GDPR.
There are three ways in which an organisation can ensure compliance with the principle of accountability:
Data protection must be a priority for the highest level of any organisation, whether this is a partnership of two or the board of a large company. Whether or not the GDPR requires the appointment of a data protection officer (see our earlier blog), it is important to ensure that there is a clear line of responsibility and accountability for the data handling practices of the organisation which leads to directly to the senior leadership within the organisation.
Data protection is not a ‘bolt on’ on to your organisation’s operations. Any new aspect of an organisation’s activities should be developed from the offset with data protection in mind. The GDPR created concepts of ‘privacy by design’ and ‘privacy by default’, meaning organisations must consider data processing throughout the lifecycle of processing that data. The GDPR suggests that measures that may be appropriate to ensure privacy by design and default could include streamlining the data collected, applying pseudonymisation techniques and integrating measures to avoid security breaches.
In the event of a breach of the principles, the ICO may want to see contemporaneous records. If such documents are not provided voluntarily, these can be compelled by service of an information notice or the ICO is able to undertake a compulsory audit of an organisation. It will not be sufficient to create post-hoc records for these purposes, rather it is essential that companies keep a complete set of “live” records. This will include both internal documents (such as policies and registers) and external documents (such as privacy notices). The failure to provide these documents will be a breach of the accountability principle of the GDPR, potentially leading to ICO regulatory action.
Article 30 of the GDPR requires data controllers to maintain a “record of processing activities” which includes the following information:
In addition, the ICO recommends that the following information should be included in the Article 30 record of processing:
Finally, the following documents should also be created and maintained:
This collection of documents should become a live resource and record of the day to day data processing activities of the organisation. Where data processing activities change, these records must be reviewed and, where necessary, updated.
Data breach is a real risk for all organisations at any time and with the introduction of compulsory notification to the ICO, there is the real risk of ICO checking upon an organisation’s overall compliance. Therefore, even though the ICO follows a policy of proportionate and targeted regulatory action given its limited resources, the new accountability principle creates a real incentive for organisations to fulfil all of their data protection responsibilities all of the time.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility