“Trust, but verify.” This old Russian proverb embodies exactly what the principle of accountability actually aims to achieve. The General Data Protection Regulation (GDPR) states that data controllers must be able to demonstrate compliance. This means that companies must take appropriate technical and organizational measures to be able to demonstrate, upon request, what they have done and how effective this has been.
Therefore, for a Supervisory Authority, it does not matter if you are a role model in terms of compliance with data protection laws if you are not able to prove it.
Everything your company does needs to be documented. If you have an implicit process within the company for how information circulates, you should have a data workflow. If your company has a set of behaviors that are allowed and encouraged, you should have policies that document that. If you have standardized practices for when data should be deleted, you should have a data retention schedule. If your employees attend training, you should have a list of all attendees.
These are living documents. It’s okay to create initial and rough drafts as a starting point. Gather more and more information until you can create a full official version.
Importantly, official versions should also be updated frequently. Ideally, they should be updated every time a new event occurs, but it is also useful to schedule updates every 6 to 12 months. They must also be easily accessible to all relevant parties.
But remember that documents that prove to be ineffective are meaningless. If you put policies in place but do not make your staff aware of them, or if your staff does not know what to do in a particular situation even after training, all the work you have had in creating these documents will be worthless.
There are a number of ways to ensure effectiveness. You can gamify your training and create pop quizzes to test your employees’ knowledge. You can set up a company wiki where all policies are collected in one place and let employees know about them through internal channels. The more evidence you have that you have done your best, the better.
In summary, following the principle of accountability means you should:
- Be organized;
- Document everything;
- Review the effectiveness of all processes.
And remember: “Trust, but verify”.
To learn more about GDPR compliance, don’t forget to read our previous articles.
Need some help on the road to compliance? Leave a comment below or contact us today!