Accountability is one of the central principles of data protection. However, it is often poorly understood. So, what does accountability really mean for you and why does it matter.

MDR & GDPR: practical tips and tools for health innovators

Register for our webinar

Introduction

GDPR is based on 7 key principles. One of the most important of these is accountability. This means taking responsibility for what you do with personal data and ensuring you are compliant with all the other principles. In this blog, we discuss what accountability really means, look at the different measures you must adopt and then explore the technical measures in a bit more detail.

MDR & GDPR: practical tips and tools for health innovators

Join us on 25 September at 16.30 CEST

Sign up now

Who cares about accountability?

Accountability is one of the main data protection principles in GDPR. Accountability means being responsible for complying with the GDPR and being able to demonstrate this compliance. This principle requires you to take responsibility for what you do with personal data and how you comply with all the other GDPR principles.

You are responsible for GDPR accountability | Chino.io

In particular, you must have appropriate measures and records in place to be able to demonstrate your compliance. Demonstrating that you are compliant requires more than just updating your Privacy Policy and Terms and Conditions. You also need to implement all appropriate organisational and technical measures.

But what if I am not compliant?

As you probably know, GDPR is backed up by potentially huge fines. After a slow start, Data Protection Authorities (DPAs) are increasingly exercising these powers. Some of these fines have been explicitly for breaching the accountability principle.

  • Recently, PriceWaterhouseCoopers was fined €150k by the Hellenic DPA for applying an inappropriate legal basis for data processing and for violation of the principle of accountability.
  • On 18 July 2019, Active Assurances was found guilty (story in French) by the French Data Protection Authority (CNIL) for having insufficiently protected the data of their users and fined €180k.

So, what are these “appropriate measures”?

By now, you might be wondering exactly what you need to do. What are the appropriate measures you should take? Unfortunately, GDPR is purposely vague about this. This is because “appropriate” depends on a number of factors such as:

  • the state of the art;
  • the costs of implementation;
  • the nature, the scope, the context and purposes of processing;
  • the risk of varying likelihood and severity for the rights and freedoms of natural persons.

What does this mean in practice?

Essentially, the more sensitive the data you are processing, the better your data protection measures must be. So, if you are processing health data, here are some of the measures that you should take:

Technical measures

Data protection by design and default. Everything you do should ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Security. You have to implement appropriate security measures. e.g. the pseudonymization and record level encryption of personal data;

Logging. Any data breaches or incidents have to be recorded in a secure and immutable (unchanging) fashion.

Backups. You must be able to restore access to personal data in a timely manner in the event of a physical or technical incident;

Certifications. You need to adhere to relevant codes of conduct for security, QA, etc.

Organisational measures

Regular assessment. Implement a process for regularly testing, assessing and evaluating the effectiveness of your technical and organisational measures.

Policies. You must adopt and implement proper data protection policies;

Data processing agreements. Put in place written contracts with all organisations that process personal data on your behalf;

Documentation. You must maintain documentation of all your processing activities;

Notification. You are obliged to report any data breaches that affect personal data.

GDPR accountability checklist from Chino.io

That’s a lot of work. How can Chino.io help me?

Chino.io are specialists in GDPR and HIPAA compliance. We can assist you with all the technical and organisational measures your application needs to properly protect personal data. Businesses that process health data will most likely benefit from an “externalised” approach to accountability. Amongst other things, using the Chino.io platform you can implement all the appropriate technical measures through our simple API. We can also provide assistance with implementing comprehensive but proportionate policies and procedures for handling personal data. Above all, we will help you save time, cut costs and minimise the risks of getting it wrong.

Anything else I should know?

Remember that your accountability obligations are ongoing. Consequently, you must regularly review and, where necessary, update the measures you put in place. But with Chino.io it’s not your problem any more. We have a duty to keep our technology at the cutting edge of data protection, helping ensure you are always compliant. But we can also help with organisational measures, sharing all our latest knowledge and documentation with you.

Using Chino.io you will be able to focus your energies and attention on developing your business. Want a free consultation? Simply click the button below and fill in your details.

Author image

About Nicola Brunello

Nicola is a legal counsel, and expert in IT and Data Protection law. He worked for major law firms before the GDPR prompted him to focus entirely on IT Law, combining his passions: law and computers.
Author image

About Toby Moncaster

Toby is a seasoned technical author with a love of data security & networking. He spent a decade in R&D, project and product management. He received his computer science PhD from Cambridge in 2018.
  • Berlin