Lesson 4The GDPR principles of data protection
- Notion 26 - The importance of the personal data processing principles
- Notion 27 - First GDPR principe: lawfulness, fairness, transparency
- Notion 28 - Second GDPR principle: purpose limitation
- Notion 29 - Third GDPR principle: data minimization
- Notion 30 - Fourth GDPR principle: accuracy
- Notion 31 - Fifth GDPR principle: storage limitation
- Notion 32 - Sixth GDPR principle: integrity and confidentiality.
- Notion 33 - Seventh GDPR principle: accountability
- Notion 34 - Review of the main concepts.
Notion 33
Seventh GDPR principle: accountability
Target skills
Principle 7 - Accountability
Organisations can claim to follow all rules and regulations without actually doing so. To ensure that this does not happen, the GDRP includes a principle on accountability. In simple terms, accountability means being able to demonstrate that.
Accountability is "not a tick box exercise". In relation to the protection of personal data, this principle refers to the responsibility of people in organisations to comply with the GDRP regulations by demonstrating compliance.
Accountability measures include (but are not limited to):
- Adequate documentation of what personal data is collected and processed;
- Reporting on the purposes and for how long the data is processed;
- Adequate documentation of the procedures and processes related to responding to a data breach;
- Adequate documentation on the establishment of information systems;
- (If required) The existence of a "data controller" or "data protection officer" who is involved in the planning and operation of the organisation's data protection measures.
What is the role of a "data controller" or "data protection officer"?
Some organisations are required to appoint a "data controller". The "data controller" or "data protection officer" is the person in an organisation who decides why and how personal data should be processed. He/she is responsible for establishing appropriate protocols and for continuously assessing, evaluating and reporting on the organisation's approach to data protection. He/she is also the person who responds in the event of a data protection breach.
To illustrate this, please recall the example on notion 28 (purpose limitation) about the bank wanting to send you information about new (banking) products. Imagine that in this case the bank wants to use your personal data for other purposes. To ensure that this is lawful and to be accountable, the bank should check whether this new purpose of the data is compatible with Article 6 (4) of the GDRP (accountability principle).
Once this assessment has been made, it should be determined that the new purpose is compatible with the original purpose for which the personal data was collected. Consequently, the organisation should write or keep a record of the "compatibility assessment". In this report, the organisation must explain the reasons for the decision and indicate what reasonable safeguards it has put in place.
Up to this point, we have an overview of the 7 principles of the General Data Protection Regulation (GDPR), which form the core of best practises in data processing. They form the basis for all processing activities and business practises - from the design stage through the entire data processing lifecycle.
See also Article 6 (4) of the DGRP: https://gdpr-info.eu/art-6-gdpr/