Privacy Top 20 Ratgeber

Accountability: What data protection requires of you

Since May 25, 2018, you as a company, association, medical practice and website operator have been obliged to comply not only with the Federal Data Protection Act (BDSG), but also with the EU General Data Protection Regulation. If this does not happen, those responsible risk a GDPR warning. In order to guarantee that you actually implement the requirements, you are subject to accountability. In this guide, we explain to you what you must prove to the supervisory authorities on request.

Accountability according to GDPR

The General Data Protection Regulation primarily states that personal data requires a higher level of protection. Especially in the digital age, where each of us unconsciously divulges information, the new regulations are absolutely necessary. Anyone who collects and processes details about natural persons must ensure that appropriate protective measures are in place and, if necessary, must be accountable. According to Art. 5 GDPR, this means the following for you:

  • They ensure more transparency.
  • The processing must be comprehensible for data subjects.
  • The magic word is data minimization. You only collect the information you really need.
  • The purpose must be appropriate.
  • Personal data must be checked for accuracy.
  • Ideally, processing should be made anonymous. Identification should only be possible for as long as is necessary for processing.
  • They guarantee security.

As the controller, you are therefore accountable and must, if necessary, prove that you meet the above requirements.

This circumstance is substantiated in Art. 24 GDPR as follows:

The controller (you or your data protection officer) uses all the technical and organizational measures available to him to fulfil the following items, taking into account the guidelines already mentioned:

  • You must guarantee the protection of personal data.
  • You should be able to prove this immediately to the supervisory authorities at their request.

In order to force companies, institutions, associations and practices to comply with the GDPR and the associated accountability, supervisory authorities face fines in the millions.

What does this mean in concrete terms for you?

  1. You must carry out a risk analysis in order to determine the scope of the security measures. These depend on the amount of personal data you process. Make sure that data security is always up to date.
  2. Accountability is linked to the obligation to provide proof. As soon as an authority requests information about your documents, you must comply with this request. However, how you have to do this is not prescribed by law. We assume, however, that the EU will elaborate on this point in the near future.

Everything has its limits

This is also the case for accountability. As a rule, you only have to provide evidence that the supervisory authorities explicitly require. At least in theory, you do not have to disclose all records. This means that you do not have to incriminate yourself if there are any deficiencies. At the same time, however, it can be interpreted negatively if you conceal documents. Our recommendation: Seek the advice of your data protection officer. They will always be your first point of contact if the supervisory authority approaches you.

Who is liable for a security breach?

Basically you are in all instances. Even if you have third parties process your data or employ an internal or external data protection officer, you still remain liable. This makes it all the more important to ensure that subcontractors also comply with the GDPR and thus with their accountability to you.

You must implement these measures

In order to adequately meet accountability, you should take the following steps:

1. Data protection impact assessment (DPIA):

You do this at the beginning of the data processing. You use it to evaluate the risks and consequences for the data subjects when you collect and process their data. According to Art. 35 GDPR you are obliged to carry out a data protection impact assessment if the following risks exist:

Profiling & scoring
Automatic decisions
Systematic monitoring
Biometric procedures

You are also subject to accountability in the form of a data protection impact assessment if you process the following personal data:

  • Racial and ethnic origin
  • Political opinions
  • Religious beliefs
  • Health data
  • Genetic and biometric data

If you conduct internal investigations against your employees or if there is a general increased risk for the rights of data subjects, a data protection impact assessment must also be prepared.

2. Directory of processing activities:

In this list, you list all relevant information related to the processing of personal data. This means, among other things:

  • Purpose
  • Data subjects
  • Recipients
  • Categories

If you intend to be accountable to the authorities, you must be able to provide this information. Detailed information on this subject can be found in our guide “Directory of processing activities.”

3. Raising employee awareness:

This point is not explicitly mentioned in the GDPR, but is nevertheless part of accountability. Every employee must be informed of the responsibility they assume with regard to the processing of personal data. At the same time, however, you will also be informed of your rights with regard to your own data.

4. Data protection officer:

As soon as at least nine employees in your company work with personal data, the accountability obligation consists of appointing a data protection officer. You can either train an employee or hire an external expert. First and foremost, it is important that the person has the necessary know-how to carry out the position and the associated tasks correctly. On our platform, you can learn about providers and compare them by visiting the following category: “External data protection officer.”

5. Accountability:

It is not only you who are obliged to provide authorities and data subjects with information about the contents collected. If you employ subcontractors for processing, they are required to render account to you in accordance with the GDPR. According to Art. 28, you must draw up a corresponding processing contract in order to comply with the legal regulations.