Accountability and governance
The accountability principle requires you to be able to demonstrate that your processing is done in compliance with the Applied GDPR. Accountability also has direct relevance to your responsibility as a controller and Article 24 of the Applied GDPR further requires controllers and processors to
"implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation. These measures shall be reviewed and updated where necessary ... the measures ...shall include the implementation of appropriate data protection policies by the controller."
The requirements for controllers include:
- the implementation of appropriate data protection policies
- adherence to approved codes of conduct
- complying with the concepts of "data protection by design and by default"
- undertaking "data protection impact assessments"
The requirements for controllers and processors may include:
- maintaining records of processing activities
- appointment of a data protection officer
Compliance must be readily demonstrable to individuals and supervisory authorities and failure to do so may lead to sanctions and/or a fine of up to £1,000,000.
Article 31 of the Applied GDPR imposes a duty on controllers and processors to co-operate with the supervisory authority in the performance of its tasks when requested.