GDPR headlines have focused on the 'new': administrative fines, rules on consent, and notification of data breaches. What about the new data protection 'principle' – accountability? This series of articles will explore in detail the different ways to show accountability, which is important for compliance, but also about thinking of data as part of the day to day running of the business. Integrated lawful use of personal data use is part of every business, whether relating to employees or customers.
As with other changes in the GDPR, the emphasis has shifted. Notification is gone; accountability is here. Currently, data controllers 'notify' by giving the ICO a description of the personal data processed, the categories of data subjects and the processing purposes. From 25 May 2018, organisations must have a direct relationship with individuals; and must be able to demonstrate that it complies with the rules. This is will require some form of evidence. Companies will need to keep records to show they meet specific GDPR obligations and the data protection principles as a whole.
Transparency is the part of accountability where companies tell people how they will use personal data. This is a company's chance to engage with customers and build trust.
According to a recent European Union survey, in the UK an overwhelming 80% of those asked were concerned about companies using personal information for a different purpose than the one it was collected for without informing them (e.g. direct marketing and profiling).
GDPR tackles this by making sure organisations are clear and upfront with people how they will use personal data.
Transparency is so important that it is now a part of the requirement for the processing to be 'fair and lawful'. It is the first step; it is telling people what you are doing with their information. It is engaging with the customer. It is a significant step to demonstrating accountability. It sets expectations. It builds trust. For accountability purposes, it is evidence of compliance.
To use ensure you are transparent, you must explain how you use data to your audience:
One complaint about the GDPR is that it stifles innovation. However, effective use of GDPR requirements can help to foster innovation and create new ways of engaging with customers. Evidencing compliance and building trust will ultimately allow you to use personal data more effectively for your organisation. To demonstrate compliance and meet the criteria for transparency and accountability you need to know your customers, know what data you are collecting and how you will use it. Knowing these things are good business practices.
When telling your customers what you are going to do, consider how they will reasonably expect you to use their data. This may involve undertaking research to understand peoples' expectations; looking at data use from their point of view and gaining an insight into their level of knowledge about the organisation, its data collection habits and, known or expected uses. Such an understanding should allow you to make sure you are providing the correct information to your customers in a way that they understand the data you collect about them and how you will use it. This insight, and ensuring you target your information to your customers in a clear and understanding way, is evidence to show compliance with accountability principle (for transparency).
The ICO Guidance on Privacy Notices : encourages organisations to explore different techniques to present transparency information that is clear and in ways that are useful to the organisation's specific requirements e.g. consider channels and method of communications, types of customers (new customers, long terms customers, any reasonable adjustments needed), layered notices (just-in-time, dashboards), etc.
It is more important than ever to know how your organisation uses personal data, tell your customers about it - and have the evidence to show it.
Other accountability requirements to be explored include keeping records about processing activities, ensuring data protection by design and default is part of decision making, and carrying out data protection impact assessments (DPIAs).