Regulation no. 679/2016 introduces a regulatory framework entirely focused on the duties and “accountability” of the Data Controller, reversing the perspective of the reference framework for personal data protection. Directive 95/46/EC, in fact, was entirely centered on the rights of the data subject, whereas the text of the new Regulation is mainly developed on processes, activities, technical and organizational measures, sanctions and obligations directed to the Data Controller.
This principle, although introduced for the first time in the new provisions, had already been examined by the Article 29 Data Protection Working Party in Opinion No. 3/2010, which suggested the insertion of a general provision to “reaffirm and strengthen the responsibility of Data Controllers”, structured so as to include an obligation to take appropriate and effective measures to implement the principles of data protection, as well as the need to prove that such measures have actually been implemented and give proof thereof if requested.
This Opinion, in essence, anticipates concepts now expressly contained in the GDPR, indicating by way of example a series of measures aimed at the pursuit of the “accountability” principle. These include the need to plan the new processing operations to ensure compliance with regulatory requirements (privacy by design in the GDPR), the mapping of processing operations (register of processing activities in the GDPR), the establishment of transparent procedures aimed at the management of access rights, rectification and deletion by data subjects (strengthened, in the GDPR with the introduction of the right to be forgotten). In addition to these, within the same Opinion, it is suggested, under certain circumstances, to consider producing impact assessments on privacy, as well as to define internal procedures for the management and effective communication of security breaches. Finally, the Working Party stresses the need to ensure that measures taken should not merely be a formality, but should actually be implemented in practice and verified through periodic audits conducted by both internal (“internal audits”) and external (“external audits”) subjects.