3. Accountability and Governance

A short guidance note explaining the principles of accountability that underpin the GDPR and containing links to 5 internal data protection policies for agencies, when acting as controllers, to tailor to their own requirements.

What does the law require?

The GDPR adds further detail to the existing data protection principles with which agencies must comply. These principles require, amongst other things, that agencies:

  1. process personal data lawfully, fairly and in a transparent manner,
  2. collect personal data only for specified, explicit and legitimate purposes,
    ensure personal data is adequate, relevant and limited to what is necessary,
  3. ensure that personal data is accurate and up to date,
  4. do not keep personal data for longer than necessary, and
  5. ensure appropriate security for personal data.

These principles (apart from the requirement to keep data secure) only directly apply when your agency is processing personal data for your own purposes – i.e. when your agency is acting as a “data controller” as opposed to a “data processor”.

The GDPR also introduces an “Accountability” principle. This means that data protection compliance will not only be about what happens when things “go wrong”. Agencies will also need to be able to demonstrate they are consistently complying with the GDPR and to implement appropriate data protection policies and procedures.

Another new governance requirement under the GDPR is the mandatory appointment of a data protection officer (“DPO”) for certain types of organisation. It is important to note that a formal DPO is not required for all businesses. A DPO is only required in certain specific cases as set out in the GDPR. In particular a DPO would be required where an agency’s core activities involve either: regular and systematic monitoring of individuals on a large scale (such as online behavioural tracking), or largescale processing of sensitive personal data (such as health records, or information about criminal convictions).

What do you actually need to do?

You should ensure that decision makers and key people within your agency are aware that the law is changing and that the GDPR will apply from May 2018. Depending on the size and complexity of your agency, implementing the GDPR could have significant resource implications.

Amongst other things, agencies will need to have appropriate data protection compliance policies in place. Agencies should also review their policies periodically and update them as necessary to ensure they are effective and meet their requirements.

It is also important that these policies are actually implemented within your agency. It will not be sufficient merely to make policies available on your agency’s intranet. The relevant personnel must be actively made aware of the policies, trained on the requirements and required to comply with them.

In terms of whether agencies are required under the GDPR to appoint a DPO, the IPA anticipates that for most agencies, a formal DPO will not be necessary. However, even where a formal DPO is not required under the GDPR, agencies should still designate someone to take responsibility for data protection compliance (such as a “data protection coordinator”) and assess where this role will sit within your agency’s structure and governance arrangements.

How can the IPA help?

As described in the introduction to the IPA GDPR Top Ten Practical Steps Guidance, the IPA has put together a pack of template policies for agencies to use as part of the development and rolling-out of agencies’ own internal data protection policies and procedures.

The GDPR pack includes the following five example policies for agencies to use as templates. The policies are accessible via the links below:

  1. Data Protection Policy
  2. Data Protection Impact Assessment Policy
  3. Data Retention Policy
  4. Individual Rights Policy
  5. Data Incident Policy

The template policies making up the GDPR Pack are examples and to be used as starting points only. They are not intended to be used ‘as is’. You should review and customise them to fit your agency’s business.

The policies are designed to work in conjunction with each other as well as any other policies and procedures your agency may have. Where the names of other policies are referred to in the various documents, they have been put in bold and underlined to indicate that you could make them accessible via a link (for example if the policies are made available on your agency’s intranet). They include highlighted guidance notes and square-bracketed words – these should be read and dealt with and then removed before implementing the relevant policy. Each also includes some background guidance notes in red at the start of each document to help explain the purpose of the document to you. These red notes should also be removed before implementing the final, clean version of the policy.

The above policies are referred to in more detail in the relevant sections of this Guidance. The IPA may publish further template policies in due course.