Data Protection: Accountability and Governance

Sunday, April 16, 2017

The Information Commissioners Office (ICO) has updated its overview of the European General Data Protection Regulation (GDPR) which comes into force in May 2018.

Data protection principles set out in the GDPR, are similar to those in the current Data Protection Act 1998 with additional detail and a new accountability requirement which requires firms to be able to evidence how they comply with the principles.

The GDPR expressly promotes accountability and governance, and the focus on both is a deliberate complement to the GDPR’s transparency requirements. Previously, the principles of accountability and transparency had been implicit requirements of data protection law with the GDPR making the requirements explicit. 

Firms are expected to put in place, test and maintain 'comprehensive but proportionate governance measures'. Good practice tools, as articulated by ICO such as 'privacy impact assessments' and 'privacy by design' will be legally required in certain circumstances.

The measures envisaged in the GDPR are designed to minimise the risk of breaches and uphold the protection of personal data. In practice the ICO has made clear that this is likely to mean more detailed written policies and procedures for firms even though many firms already have good data protection governance measures in place.

To put the new accountability principle into context, article 5 of the GDPR requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals;

  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The accountability principle is embodied in article 5(2) which requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

With the enhanced need to be able to demonstrate compliance with the GDPR, the ICO has stated that firms must:

  • Implement appropriate technical and organisational measures that ensure and demonstrate that the firm is in compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

  • Maintain relevant documentation on processing activities.

  • Where appropriate, appoint a data protection officer.

  • Implement measures that meet the principles of data protection by design and data protection by default, measures could include data minimisation, pseudonymisation, transparency, allowing individuals to monitor processing, and creating and improving security features on an ongoing basis.

  • Use data protection impact assessments where appropriate.

In many places, data protection falls under the remit of the compliance function with oversight from internal audit. The increased focus on accountability and governance in GDPR firms will need to reconsider their approach ahead of the May 2018 implementation date. As Elizabeth Denham, the Information Commissioner, said in a January 2017 speech on GDPR and accountability “we're all going to have to change how we think about data protection”.

This speech gave an overview of some of the sweeping changes coming with GDPR including:

  • The new obligations for firms to report data breaches which pose a risk to the individual;
  • The need to ensure that specific protections are in place for transferring data to countries which are not listed as providing adequate protection (like Japan and India);
  • The ramifications of the new consent requirements whereby consent  must be freely given, specific, informed and unambiguous and firms will need to be able to prove that have all relevant consents if they rely on them for processing data. A pre-ticked box, for example, will not be deemed to be valid consent. The ICO has consulted on the enhanced expectations on consent.

The GDPR mandates on accountability and the need to evidence compliance will be another driver to change the culture of firms. As Denham put it: “that isn't an easy thing to do, and it's certainly true that accountability cannot be bolted on: it need to be part of the company's overall systems approach to how it manages and processes personal data”. The enforcement powers associated with the GDPR are profound with the ICO having the power to fine companies up to 20 million Euros or four percent of global annual turnover, whichever is higher. Denham made clear that the maximum monetary penalties will be used for the most serious violations of the law but that it won't be just about losing a laptop or cyber breach – the GDPR specifically gives regulators the power to enforce in the context of accountability. In a thinly veiled warning to UK firms, Denham said: ”If a business can't show that good data protection is a cornerstone of their practices, they're leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation”.

Data protection is a key regulatory risk and firms need to take all guidance from the ICO into consideration. The ICO is rapidly growing in capacity and capability to hold wrongdoing to account for all aspects of data protection with from spring 2017, the power to fine directors individually up to £500,000 each for breaches of the Privacy and Electronic Communications Regulations which cover issues such as nuisance calls.

The powers will be in addition to the existing capacity to fine firms also up to £500,000.It is a very rare firm that is not potentially caught by the new liability as PECR covers any electronic marketing messages whether by phone, fax, email or text. As the designated regulator of PECR, the ICO has published a guide to privacy and electronic communications which explains how to apply the regulations in practice.

For the future, firms would be well advised to undertake a wholesale review of their data protection and information security arrangements and to use that as a robust base from which to build the capability to not only comply with the GDPR but also to be able to evidence compliance.

Firms may also wish to take advantage of the ICO's team which offers audit and good practice visits to further benchmark a compliant approach to data protection.

Susannah Hammond is a Senior Regulatory Intelligence Expert in Governance, Risk and Compliance  at Thomson Reuters. Thomson Reuters provides market-leading solutions. For more information click here.