UK General Data Protection Regulation (UK GDPR)

Accountability under the UK GDPR

Guide

Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.

What does accountability mean in UK GDPR?

Accountability means:

  • you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
  • you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply

For a small business, this means you must:

  • ensure a good level of understanding and awareness of data protection amongst your staff
  • implement comprehensive but proportionate policies and procedures for handling personal data safely
  • keep records of what you do and why

You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.

How to comply with accountability obligations

The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:

1. Data protection policies

The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:

  • privacy procedure and notice
  • staff training policy
  • information security policy
  • data protection impact assessment procedure
  • retention of records procedure
  • subject access request form and procedure
  • international data transfer procedure
  • data portability procedure

Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.

2. Contracts

If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.

3. Documentation

By law, most organisations are required to maintain a record of their processing activities, covering:

  • name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
  • the processing purposes
  • a description of the categories of individuals and categories of personal data
  • the categories of recipients of personal data
  • details of your transfers to third countries, including the safeguards in place
  • retention schedules
  • a description of your technical and organisational security measures

If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.

As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:

  • information required for privacy notices
  • records of consent
  • controller-processor contracts
  • the location of personal data
  • Data Protection Impact Assessment reports
  • records of personal data breaches
  • information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.

4. Data protection by design and default

This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.

The UK GDPR suggests measures that may be appropriate to this, such as:

  • minimising the data you collect - both in terms of volume and retention
  • storing data no longer than is necessary
  • storing data only for the purposes for which it is processed
  • applying pseudonymisation techniques
  • improving security features

To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.

5. Data protection officers (DPOs)

The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:

  • you are a public authority or body
  • you carry out certain types of processing activities, including:
    • regular and systematic monitoring of data subjects on a large scale
    • large-scale processing of sensitive personal data or data relating to criminal convictions and offences

This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.

A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.

Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.

6. Codes of conduct and certification

Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.

Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.

This guide does not constitute legal advice and is provided for general information purposes only.