Whilst the principles of accountability and transparency have previously
been implicit GDPR now elevates their significance.
The new accountability principle requires organisations to demonstrate that they comply with the principles and states explicitly that this is their responsibility.
Data protection by design
An organisation has a general obligation to implement technical and organisational measures to show that it has considered and integrated data protection into its processing activities up front.
Data protection impact assessments
A tool which can help an organisation identify the most effective way to comply with its obligations and meet individuals’ expectations of privacy, allowing it to identify and fix problems at an early stage. While not a legal requirement under the DPA, the ICO has promoted the use of DPIAs as an integral part of taking a privacy by design approach.
Data Protection Officer
A data protection officer (DPO) must be appointed if the organisation is a public authority (except for courts); carries out large scale systematic monitoring of individuals; or carries out large scale processing or data relating to criminal convictions and offences. A single DPO may be appointed for a group of firms, but any organisation is able to appoint a DPO with sufficient staff and skills to discharge its obligations.
Codes of conduct
Signing up to a code of conduct or certification scheme is not obligatory, but if an approved code of conduct or certification scheme that covers an organisation’s processing activity becomes available, it may wish to consider working towards it as a way of demonstrating that it complies. When contracting work to third parties and processors, an organisation may wish to consider whether they have signed up to codes of conduct or certification mechanisms.
Find out more about Solvassure