Chartered Accountants & Business Advisers


GDPR accountability – you’re accountable, aren’t you?

GDPR accountability is for life, not just for May 2018. Now the rules and regulations are firmly settled in don’t forget that every organisation remains responsible for creating an appropriate GDPR environment.

What might this mean in the real world? Our GDPR expert, Karen Heaton, takes a look at Accountability.

In our blog today, we look at Accountability, one of the Seven Principles of GDPR and the Data Protection Act 2018.

What is accountability?

Accountability is your requirement to demonstrate how your organisation or practice is compliant with the regulations.

This sounds simple, but what does it really mean?  If ever audited or investigated, what would you show the investigators?

Let’s take a look at the route to Data Protection compliance and some essential measures that organisations should have in place to meet this requirement.

What is the minimum you might need to meet the Accountability requirements?

  1. Ensure your employees have some training in Data Protection – this is the responsibility of the Controller
    • We discussed the causes of Data Breaches, 30% – 40% are due to employees
  2. Do you know what data you hold? We discussed Know Your Data (KYD) in our blog on Data Breaches
    • why you have that data
    • what you do with it
    • who sees it
    • where it is kept
  3. Understand Your role – this determines what your responsibilities are
    • are a Data Controller, Data Processor or both (highly likely)
  4. Have essential operational policies and procedures (measures) in place to deal with:
    • Data breaches
    • Subject Access requests
    • Management of consent
  5. Have you communicated your Privacy Notices to clients, employees, suppliers?
  6. Do you need to Register with the Information Commissioners Office (probably)?
    • Use the checklist from the ICO
    • The fees are explained here – SME’s fees range from £40 – £60 per annum
  7. Decide who will be responsible for Data Protection within your organisation – it must be someone!


Today’s fact: 

The ICO use a number of factors to decide what fines (or other actions) to take against organisations.  In fact, when submitting Data Breach information to the ICO, organisations must answer questions about staff training and the operational measures that were in place to prevent breaches.

  • Put the essential operational measures in place now to avoid issues in the future.

See you next week!