Privacy and data protection matter more than ever to people. For this reason, the General Data Protection Regulation (GDPR) is one of the EU's greatest achievements in recent years since it seeks to ensure effective data protection in the digital age.
The GDPR brings with it a quantum shift in emphasis on who is responsible for ensuring that our right to data protection is fully respected. The GDPR includes an explicit reference to accountability as a principle and requires appropriate technical and organisational measures be put in place by organisations. In other words, organisations and not Data Protection Authorities or Data Protection Officers must demonstrate that they are compliant.
Accountability is more than simple compliance with the rules - it implies a culture change. Accountability means promoting sustainable data processing, by ensuring that the task of assessing the legality and fairness of complex processing falls primarily on organisations, with the guidance of regulators, and not on the individual.
With the GDPR to be fully implementable by May 2018 and the review of Regulation 45/2001 (the Regulation that applies to the EU institutions and bodies) underway, it is already clear what lies ahead in terms of future obligations. Private and public sector organisations should prepare now as part of their risk management strategies, to find solutions to address their specific needs and not leave it to the last minute.
Accountability is not new to the EU institutions. Whilst Regulation 45/2001 does not specifically articulate the principle of accountability, it is implicit.
In 2015, the EDPS initiated a project to develop a framework for greater accountability in data processing. This was applied first to ourselves, the EDPS, as an institution, a manager of financial resources and people - and a controller.
We developed a specific tool to ensure and demonstrate our accountability as an organisation, to plan and to keep track of related actions. This document consists of a set of questions for the Supervisors, the Director, the staff responsible for managing processing operations and our Data Protection Officer.
The questions do not go into specific detail, but rather aim to ensure that our organisation is in control of personal information and its lawful processing.
This year, we aim to visit - and have already started - small, medium and large EU bodies to explain the new obligations resulting from the revised legal framework and the implications for EU institutions and the EDPS' work as their supervisory authority.
As part of our efforts to help them on their way to implement accountability, we will recommend our accountability document during these visits and suggest that they tailor it to suit their specific needs .
Our accountability initiative specifically targets EU institutions and bodies, but other data protection authorities and controllers outside the EU institutions may also find this guidance helpful.