Accountability

A new provision for accountability in Article 5 of the GDPR requires the controller to be responsible for, and able to demonstrate compliance with, the principles for processing personal data. Because controllers will have to be able to provide evidence of their compliance under this provision if asked, it brings an increased focus on policies and procedures. Controllers need to document the basis for processing, showing that they have properly considered which lawful basis applies for each purpose and must be able to justify their decision. There is no standard form for this, but the responsibility for demonstrating compliance lies with the data controller.

The data controller must also implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. This includes having appropriate data protection policies and can include adherence to codes of conduct and certification schemes such as those issued by the ICO.