Module 4: Accountability and Governance

Introduction

The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.

You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and privacy by design, are now legally required in certain circumstances.

Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.

To comply under new GDPR regulations you must:

• Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies;

• Maintain relevant documentation on processing activities;

• Where appropriate, appoint a data protection officer;

• Implement measures that meet the principles of data protection by design and data protection by default. These measures could include:

– Data minimisation

– Pseudonymisation

– Allowing individuals to monitor processing; and

– Creating and improving security features on an ongoing basis

– Transparency

• Use data protection impact assessments where appropriate

You can also:

• Adhere to approved codes of conduct and/or certification schemes. We will look at this later on in the module.

Contracts

The GDPR makes written contracts between controllers and processors a general requirement, rather than just a way of demonstrating compliance with the seventh principle (appropriate security measures) under the Data Protection Act.

These contracts must now include certain specific terms as a minimum. These terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR and not just those relating to keeping personal data secure. The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority, such as the ICO, to be used in contracts between controllers and processors – although none have been drafted by either the EU Commission or the ICO.

Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.

The GDPR allows standard contractual clauses from the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. However, no standard clauses are currently available. The GDPR also allows these standard contractual clauses to form part of a code of conduct or certification mechanism to demonstrate compliant processing. However, no schemes are currently available.

Lets look at some of the things needed in relation to contracts.

Your contracts include the following compulsory details:

• The subject matter and duration of the processing;

• The nature and purpose of the processing;

• The type of personal data and categories of data subject; and

• The obligations and rights of the controller

Your contracts include the following compulsory terms:

• The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);

• The processor must ensure that people processing the data are subject to a duty of confidence;

• The processor must take appropriate measures to ensure the security of processing;

• The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;

• The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;

• The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

• The processor must delete or return all personal data to the controller as requested at the end of the contract; and

• The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

As a matter of good practice, our contracts:

• State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and

• Reflect any indemnity that has been agreed.

In addition to the Article 29.3 contractual obligations set out in the controller and processor contracts checklist, a processor has the following direct responsibilities under the GDPR. The Processor must:

• Only act on the written instructions of the controller (Article 29);

• Not use a sub-processor without prior written authorisation of the controller (Article 28.2);

• Co-operative with supervisory authorities such as the ICO, in accordance with Article 31;

• Ensure the security of it’s processing in accordance with Article 32;

• Keep records of its processing activities in accordance Article 30.2;

• Notify any personal data breaches to the controller in accordance with Article 33;

• Employ a data protection officer if required in accordance with Article 37; and

• Appoint (in writing) a representative within the European Union if required in accordance with Article 27.

A processor should also be aware that:

• It may be subject to investigative and corrective powers of supervisory authorities such as the ICO, under Article 58 of the GDPR;

• If it fails to meet obligations, it may be subject to an administrative fine under Article 83 of the GDPR;

• If it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR; and

• If it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR.

Documentation

Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.

Documenting your processing activities is important, not only because this in itself is a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.

Under the GDPR, the documentation of processing activities is a new requirement.

Controllers and processors each have their own documentation obligations. If you have 250 or more employees, you must document all your processing activities. There is a limited exemption for small and medium-sized organisations. If you have less than 250 employees, you only need to document processing activities that:

• are not occasional; or

• could result in a risk to the rights and freedoms of individuals; or

• involve the processing of special categories of data or criminal conviction and offence data.

What do we need to document under Article 30 of the GDPR?

You must document the following information:

• The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).

• The purposes of your processing.

• A description of the categories of individuals and categories of personal data.

• The categories of recipients of personal data.

• Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.

• Retention schedules.

• A description of your technical and organisational security measures.

When it comes to Documentation there are some things you should know, lets have a look below.

Documentation of processing activities – requirements

You document your processing activities in electronic form, so you can add, remove and amend information easily.

• If you are a controller for the personal data you process, you document all the applicable information under Article 30.1 of the GDPR.

• If you are a processor for the personal data you process, you document all the applicable information under Article 30.2 of the GDPR.

• If you process special category or criminal conviction and offence data, you document:

– the condition for processing you rely on the in the Data Protection Bill;

– the lawful basis for your processing; and

– whether you retain and erase the personal data in accordance with your policy document.

• You document your processing activities in writing

• You document your processing activities in a granular way with meaningful links between the different pieces of information

• You conduct regular reviews of the personal data you process and update your documentation accordingly

Documentation of processing activities – best practice

When preparing to document your processing activities you:

– do information audits to find out what personal data your organisation;

– distribute questionnaires and talk to staff across the organisation to get a more complete picture of your processing activities; and

– review your policies, procedures, contracts and agreements to address areas such as retention, security and data sharing

As part of your record of processing activities you document, or link to documentation, on:

– information required for privacy notices;

– records of consent;

– controller-processors contracts;

– the location of personal data;

– Data Protection Impact Assessment reports; and

– records of personal data breaches

Data Protection Impact Assessments

A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals interests. To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. If you identify a high risk and you cannot mitigate that risk, you must consult the ICO before starting the process. The ICO will give written advice within eight weeks, or fourteen weeks in complex cases. In appropriate cases they may issue a formal warning not to process the data or ban the processing altogether.

Your DPIA must:

• describe the nature, scope, context and purposes of the processing;

• assess necessity, proportionality and compliance measures;

• identify and assess risks to individuals; and

• identify any additional measures to mitigate those risks.

You should consult your DPO (if you have one) and, where appropriate, individuals and relevant experts. Processors may need to assist.

If you have not already got a PIA process, you will need to design a new DPIA process and embed this into your organisational policies and procedures.

In the run-up to 25 May 2018, you also need to review your existing processing operations and decide whether you need to do a DPIA for anything which is likely to be high risk. You will not need to do a DPIA if you have already considered the relevant risks and safeguards, unless there has been a significant change to the nature, scope, context or purposes of the processing.

When it comes to Data Protection Impact Assessments there are certain things you should know. Let’s look at these below.

Data Protection Impact Assessment Awareness

• You provide training so that your staff understand the need to consider a DPIA at early stages of any plan involving personal data.

• Your existing policies, processes and procedures include references to DPIA requirements

• You understand the types of processing that require a DPIA and use the screening checklist to identify the need for a DPIA were necessary.

• You have created and documented a DPIA process.

• You provide training for the relevant staff on how to carry out a DPIA.

DPIA Screening

You should always carry out a DPIA if you plan to:

• Use systematic and extensive profiling or automated decision-making to make significant decisions about people.

• Process special category data or criminal offence data on a large scale.

• Systematically monitor a publicly accessible place on a large scale.

• Use new technologies.

• Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.

• Carry out profiling on a large scale.

• Process biometric or genetic data.

• Combine, compare or match data from multiple sources.

• Process personal data without providing a privacy notice directly to the individual.

• Process personal data in a way which involves tracking individuals online or offline location or behaviour.

• Process children’s personal data for profiling or automated decision-making or marketing purposes or offer online services directly to them.

• Process personal data which could result in a risk of physical harm in the event of a security breach.

You should consider carrying out a DPIA if: you plan to carry out any other:

• Evaluation or scoring

• Automated decision making with significant effects.

• Systematic

• Processing of sensitive data or data of a highly personal nature.

• Processing on a large scale

• Processing of data concerning vulnerable data subjects.

• Innovative technological or organisational solutions.

• Processing involving preventing data subjects from exercising a right or using a service or contract.

If you decide not to carry out a DPIA, you should document your reasons.

You consider carrying out a DPIA in any major project involving the use of personal data.

You carry out a new DPIA if there is a change to the nature, scope, context or purposes of your processing.

DPIA Process

• You describe the nature, scope, context and purposes of the processing.

• You ask your data processors to help you understand and document their processing activities and identify any associated risks.

• You consider how best to consult individuals (or their representatives) and other relevant stakeholders.

• You ask for the advice of your data protection officer

• You check that the processing is necessary for and proportionate to your purposes and describe how you will ensure data protection compliance.

• You do an objective assessment of the likelihood and severity of any risks to individuals rights and interests.

• You identify measures you can put in place to eliminate or reduce high risks.

• You record the outcome of the DPIA, including any difference of opinion with your DPO or individual consulted.

• You implement the measures identified and integrate them into our project plan.

• You consult the ICO before processing if you cannot mitigate high risks.

• You keep your DPIA’s under review and revisit them if necessary.

How do you carry out a DPIA?

• You describe the nature, scope, context and purposes of the processing.

• You ask your data processors to help you understand and document their processing activities and identify any associated risks.

• You consider how best to consult individuals (or their representatives) and other relevant stakeholders.

• You ask for the advice of your data protection officer

• You check that the processing is necessary for and proportionate to your purposes and describe how you will ensure data protection compliance.

• You do an objective assessment of the likelihood and severity of any risks to individuals rights and interests.

• You identify measures you can put in place to eliminate or reduce high risks.

• You record the outcome of the DPIA, including any difference of opinion with your DPO or individual consulted.

• You implement the measures identified and integrate them into our project plan.

• You consult the ICO before processing if you cannot mitigate high risks.

• You keep your DPIA’s under review and revisit them if necessary.

How do you carry out a DPIA?

A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:

1. Identify the need for a DPIA

2. Describe the processing

3. Consider consultation

4. Assess necessity and proportionality

5. Identify and assess risks

6. Identify measure to mitigate risk

7. Sign off and record outcomes

8. Integrate outcomes into plan

9. Keep under review

You must seek the advice of your data protection officer (if you have one). You should also consult with individuals and other stakeholders throughout this process.

The process is designed to be flexible and scalable. We recommend that you publish your DPIAs, with sensitive details removed if necessary.

Data Protection Officers (DPO)

The General Data Protection Regulations introduces a duty for you to appoint a data protection officer if you are a public authority or if you carry out certain types of processing activities. A data protection officer can help you demonstrate compliance and are part of the enhanced focus on accountability.

DPO’s assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for such data subjects and the supervisory authority (ICO). The DPO must be independent, an expert in data protection, adequately resourced and report only to the highest management level. They can be an existing employee or externally appointed and in some cases several organisations can appoint a single DPO between them.

You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.

The other two conditions that require you to appoint a DPO only apply when:

• your core activities consist of processing activities, which, by virtue of their nature, scope and / or their purposes, require the regular and systematic monitoring of individuals on a large scale; or

• your core activities consist of processing on a large scale of special category data, or data relating to criminal convictions and offences.

Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different to processing personal data for other secondary purposes, which may be something you do all the time (e.g. payroll or HR information), but which is not part of carrying out your primary objectives.

When it comes to a Data Protection Officer there are certain things you should know. 

Appointing a Data Protection Officer

• You are a public authority and have appointed a Data Protection Officer (except if we are a court acting in our judicial capacity).

• You are not a public authority, but we know the nature of our processing activities requires the appointment of a Data Protection Officer.

• You have appointed a Data Protection Officer based on their professional qualities and expert knowledge of data protection law and practices.

• You aren’t required to appoint a Data Protection Officer under the GDPR, but you have decided to do so voluntarily. You understand that the same duties and responsibilities apply had you been required to appoint a Data Protection Officer. You support your DPO to the same standards.

The Position of the Data Protection Officer

• Your Data Protection Officer reports directly to your highest level of management and is given the required independence to perform their tasks.

• You involve your Data Protection Officer in a timely manner in all issues relating to the protection of personal data.

• You Data Protection Officer is sufficiently well resourced to be able to perform their tasks.

• You do not penalise the Data Protection Officer for performing their duties.

• You ensure that any other tasks or duties you assign your Data Protection Office do not result in a conflict of interests with their roles as Data Protection Officer.

Tasks of the Data Protection Officer

• Your Data Protection Officer is tasked with monitoring compliance with the GDPR and other data protection laws, your data protection policies, awareness-raising, training and audits

• You will take account of your Data Protection Officer’s advice and the information they provide on your data protection obligations.

• When carrying out a DPIA, you seek the advice of your Data Protection Officer who also monitors the process.

• Your Data Protection Officer acts as a contact point for the ICO. They co-operate fully with the ICO.

• When performing their tasks, your Data Protection Officer has due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing.

Accessibility of the Data Protection Officer

• Your Data Protection Officer is easily accessible as a point of contact for your employees, individuals and the ICO.

• You have Published the contact details of the Data Protection Officer and communicated them to the ICO.

Codes of Conduct and Certification

The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply. Signing up to a code of conduct or certification scheme is NOT obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply. Adhering to codes of conduct and certification schemes brings a number of benefits over and above demonstrating that you comply. It can:

• Improve transparency and accountability – enabling individuals to distinguish the organisations that meet the requirements of the law and who they can trust with their personal data

• Provide mitigation against enforcement action; and

• Improve standards by establishing best practice.

The specific needs of micro, small and medium sized enterprises must be taken into account. When contracting work to third parties, including processors, you may wish to consider whether they have signed up to codes of conduct or certification mechanisms.

Who is responsible for drawing up codes of conducts?

• Governments and regulators can encourage the drawing up of codes of conduct.

• Codes of conduct may be created by trade associations or representative bodies.

• Codes should be prepared in consultation with relevant stakeholders, including individuals

• Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).

• Existing codes can be amended or extended to comply with the requirements under the GDPR.

What will codes of conduct address?

Codes of conduct should help you comply with the law and may cover topics such as:

• Fair and transparent processing;

• Legitimate interests pursued by controllers in specific contexts;

• The collection of personal data

• The pseudonymisation of personal data;

• The information provided to individuals and the exercise of individuals rights;

• The information provided to and the protection of children (including mechanisms for obtaining parental consent);

• Technical and organisational measures, including data protection by design and by default and security measures;

• Breach notification;

• Data transfers outside the EU; or

• Dispute resolution procedures.

What are the practical implications?

If you sign up to a code of conduct, you will be subject to mandatory monitoring by a body accredited by the supervisory authority. If you infringe the requirements of the code of practice, you may be suspended or excluded, and the supervisory authority will be informed. You also risk being subject to a fine of up to 10 million Euros or 2 per cent of your global turnover.

Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.

Who is responsible for certification mechanisms?

Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation.

Certification will be issued by supervisory authorities or accredited certification bodies.

What is the purpose of a certification mechanism?

A certification mechanism is a way of you demonstrating that you comply, in particular, showing that you are implementing technical and organisational measures.

A certification mechanism may also be established to demonstrate the existence of appropriate safeguards related to the adequacy of data transfers. They are intended to allow individuals to quickly assess the level of data protection of a particular product or service.

What are the practical implications?

Having certification does not reduce your data protection responsibilities.

You must provide all the necessary information and access to your processing activities to the certification body to enable it to conduct the certification procedure.

Any certification will be valid for a maximum of three years. It can be withdrawn if you no longer meet the requirements of the certification and the supervisory authority will be notified.

Guide to the Data Protection fee

The Government has announced a new charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO).

The new structure was laid before Parliament as a Statutory Instrument and will come into effect on 25 May 2018, to coincide with the General Data Protection Regulation.

Until then, organisations are legally required to pay the current notification fee, unless they are exempt.

To help data controllers understand why there’s a new funding model and what they’ll be required to pay from 25 May 2018, the ICO has produced a Guide to the Data Protection Fee.

The model must still be approved by Parliament before it is finally confirmed. But the ICO have created a guide to reflect the draft and is intended to help data controllers prepare for what Government is proposing.