For protecting personal data today and in the future, accountability is key. There is no doubt about that. The International Conference has rightly placed the principle of accountability in the spotlight.
In the terms of the General Data Protection Regulation, accountability means two things: first, an accountable organisation must have appropriate measures in place to ensure compliance. And secondly, an accountable organisation must be able to demonstrate its compliance.
This might seem straightforward, but it actually is an important evolution. The incorporation of the accountability principle in the GDPR is a key change compared to the Data Protection Directive and is a fundamental shift in approach. It is a move away from red-tape and box-ticking exercises, such as the requirement to obtain authorisation from the regulator before launching a processing operation. Instead, organisations must now pro-actively define their approach to data protection and create a culture of commitment to this fundamental right. Organisations must understand the risks that they create for others with their data processing operations, and mitigate those risks by introducing internal measures, such as privacy management programmes.
It is important to remember that accountability is a process and not just a toolbox. Demonstrating compliance is more than just a snapshot of processing operations during a certain moment in time. It is rather an increasing awareness and understanding of how an organisation processes data.
Can accountability contribute to overcoming differences between data protection regimes in various parts of the world?
It can certainly play a significant role. However, organisations must:
- assess local jurisdictions carefully;
- adapt their privacy management programmes accordingly and
- use the highest standard as a common denominator across all jurisdictions.
This is a tall order, but organisations are not alone on this journey. Regulators worldwide have been leading and supporting the discussion on how to reach consensus on accountability across jurisdictions.
For more information about ICDPPC 2019 visit www.privacyconference2019.info
Dr Andrea Jelinek, Chair of the European Data Protection Board, is the moderator of ‘Panel IV: Accountability – the global bridge to support high standards of data protection?’, Open Session, 41st International Conference of Data Protection and Privacy Commissioners, Tirana, Albania.