Accountability may be compared with removing the centre of the universe from earth to sun by the Copernican revolution. The gravity power of Accountability – as new gravity centre of GDPR – derives by shifting the burden of proof to the controller.[1] This shift has a far-reaching effect on the whole system of data protection principles within GDPR.
Whereas Art. 5 (1) GDPR lists all six fundamental principles of GDPR with (1) lawfulness, fairness and transparency, (2) purpose limitation, (3) data minimisation, (4) accuracy, (5) storage limitation and (6) integrity and confidentiality,
Art. 5 (2) GDPR states:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (´accountability´).”
Under Directive 95/46 the data subject or the DPA (Data Protection Agency) used to be in the position to show whether a controller infringed data protection law. This principle has now turned into the opposite. The controller has to give evidence of its compliance with the GDPR.
- Origin and transformation of accountability
Historically Accountabilitywas developed in connection with a different approach to data protection. In 1980 the OECD Guidelines stated fundamental principles and provided the controller with a broad leeway to manoeuvre on how to fulfil these principles.[2] Whereas the principles where undisputed the way and the measures to fulfil these principles were in the discretion of the controller. The OECD Guidelines still define accountability: “A data controller should be accountable for complying with measures which give effect to the principles stated above.”
The GDPR states its principles in Article 5 GDPR in the same way but – in contrast – contains very specific requirements in the following sections which describe how to fulfil these principles in detail. E.g. the principle of lawfulness is one of the main principles in Article 5 GDPR. It requires any data processing to be based on a legal ground. These legal grounds are defined in detail especially in Article 6 to 9 GDPR. E.g. insofar WhatsApp cannot demonstrate that a consent is freely given in the proceeding of Max Schrems[3] WhatsApp infringes not only Article 7 GDPR but the principle of lawfulness and eventually the Accountability principle at the same time.
The same legal mechanism applies to the other principles of Article 5 GDPR – like e.g. for transparency. Whenever a controller does not inform data subjects according to Article 13 GDPR this controller infringes not only Article 13 GDPR but the principle of transparency at the same time. In addition, this controller can not show its compliance with GDPR and infringes the principle too.
These two examples illustrate that Accountability is the centre of gravity of all principles of GDPR. This significance is underlined by charging the highest amount fines up to 20 million EUR or up to 4 % of the annual turnover in case of an infringement of this principle.[4]
Accountability is not only mentioned in Article 5 GDPR, which contains the main principles of GDPR, but at the same time in connection with consent according to Article 7 (1) GDPR. Article 24 (3) GDPR underlines the responsibility of the controller to demonstrate compliance. Finally, processors are bound by Accountability to show its compliance to the controller.[5]
By adopting from a principle-based data protection of the OECD Guidelines and transferring it to the GDPR, which has a holistic approach with very detailed requirements, Accountability changes its character. With GDPR Accountability requires a complete documentation of all processes concerning personal data in a broad sense. Otherwise a controller will not be in the position to satisfy the burden of proof and to give evidence that it complies with GDPR.
- Accountability and liability
The shift of the burden of proof to the controller is a general approach of the GDPR. This mechanism applies for Accountability and for liability. Article 83 (2) GDPR states:
“A controller or processor shall be exempt from liability … if it proves that it is not in any way responsible for the event giving rise to the damage.”
While the burden of prove for damages lies with the controller, the internal documentation which demonstrates compliance to fulfil Accountability may play a crucial role in any lawsuit for damages. When the question arises whether an action was in compliance with GDPR, a controller may give evidence of its compliance with GDPR only by its internal documentation which serve the purpose to fulfil the Accountability principle.
The first legal action of data protection activist Max Schrems under the GDPR shows, that the shift of the burden of proof plays a crucial role in his reasoning.[6]
- How to comply with accountability?
The GDPR provides some instruments on how to fulfil Accountability such as the record of processing activities according to Article 30 GDPR and the Data Protection Impact Assessment (DPIA) according to Article 35 GDPR. The German DPAs are regarding these instruments not as sufficient.[7] Given the high impact of Accountability a holistic and systematic approach of documentation with the implementation of Data Processing Management System (DPMS) will be required.
- The record of processing activities
The record of processing activities is similar to an inventory of all processes of the controller which are related to personal data.- What data is processed for what purpose on which legal basis in which application?
- Who has access to this data? Who are the recipients?
- How is the data secured by what adequate technical measure?
- Is a transfer outside the EU happening? What safeguards have been set up?
- When will the personal data be deleted?
The record of processing activities shall be designed in a way which is easy accessible to the DPA. The DPA will use these records as a tool to conduct audits with the controller.
- The Data Processing Impact Analysis (DPIA)
DPIA is a systematic method to check whether data processing activities, which are potentially resulting in a high risk, comply with GDPR.[8] This risk assessment is to be done from the perspective of the data subject. It contains an estimation of the likelihood and the severity of the risk, the mitigating measures and the final risk evaluation.[9] The DPAs will publish a list for which kind of data processing operations a DPIA is mandatory. In addition, the DPIAs on that list have to be approved by the DPA. - Data Protection Management System (DPMS)
The record of processing activities and the DPIA are two main instruments of Accountability but these will not be sufficient to build up a documentation which shows a complete picture of all activities required to comply with GDPR. Therefore, it is necessary to establish a DPMS. The DPMS is currently not an established standard. A sound approach is to design the DPMS in analogy to the ISMS[10] (Information Security Management System) or to the CMS[11] (Compliance Management System). The main elements of DPMS are- the positioning of the DPO (Data Protection Officer) in the hierarchy of the organisation of the controller,
- the system of internal data protection policies,
- the way risk assessments of new processes relating to personal data are conducted with the involvement of the DPO and
- the communication of data breaches to DPA and data subject in a timely manner.
The records of data processing activities and the DPIA can be integrated in the DPMS. The best approach will be to implement a software for the DPMS which addresses the activities to the stakeholders and documents all related activities – like ticketing software. Usually the ISMS and the CMS require cyclical procedure through by the ‘plan, do, act, check’-method[12] once per year.
Eventually, certification according to Article 42 GDPR will be a useful tool, to get an external approval that the measures taken by the controller are fit to comply with the Accountability principle.
[1] I will not elaborate here whether the term “burden of proof” is to be understood in this situation in a strict dogmatic sense or as principle which applies “de facto”.
[2] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980; http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
[3] E.g. see legal action of Max Schrems against WhatsApp, https://noyb.eu/wp-content/uploads/2018/05/complaint-whatsapp.pdf
[4] According to Article 83 (5) GDPR
[5] According to Article 28 (3) (h) GDPR
[6] E.g. see legal action of Max Schrems against WhatsApp, page 7, https://noyb.eu/wp-content/uploads/2018/05/complaint-whatsapp.pdf
[7] DSK (Datenschutzkonferenz), Kurzpapier Nr. 1, Verzeichnis von Verarbeitungstätigkeiten – Art. 30 DS-GVO, page 2; https://www.lda.bayern.de/media/dsk_kpnr_1_verzeichnis_verarbeitungstaetigkeiten.pdf
[8] Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA), WP 248rev.01; http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236
[9] See the open source software for DPIA of the French DPA, CNIL; https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment
[10] See for ISMS: https://www.iso.org/isoiec-27001-information-security.html
[11] E.g. for Germany IDW 980; https://www.idw.de/idw/verlautbarungen/idw-ps-980/43124
[12] E.g. see wikipedia with further related links: https://en.wikipedia.org/wiki/PDCA