The text of the new Regulation on Personal Data Protection contains explicit references to the concept of “accountability”, a concept not expressly contained in Directive 95/46/EC, but partially anticipated by the Art. 29 Data Protection Working Party in Opinion no. 3/2010.
Primarily, art. 5 of the GDPR identifies the Data Controller as the person responsible for ensuring compliance with the principles laid down in the new regulation concerning personal data processing, such as those of lawfulness, fairness and transparency, purpose limitation, minimization, accuracy, retention limitation, integrity and confidentiality. Par. II of art. 5 then states that, in addition to having to ensure compliance with these principles, the Data Controller must be able to “prove it”: this is the core of the principle of “accountability”, as the subject has to implement a series of procedures (for example, mapping the processing activities by creating a register), that make the principles of the new data regulation verifiable in practice and not just legal obligations existing on paper.
The concept of “accountability” is further outlined in art. 24 of the Regulation, which specifies that the Data Controller should implement (as well as review and update) adequate technical and organizational measures to ensure and be able to demonstrate that the processing operations are carried out according to the new rules. The measures to be adopted have to be evaluated on a case-by-case basis, taking into account a number of factors including the nature, scope, context and purpose of the processing, as well as the risks with different probability and severity for the rights and freedoms of natural persons.
This is because the new regulation no longer contains a series of “minimum measures” that should be adopted, such as those contained in Annex B to the Privacy Code, but it will be necessary to identify the most appropriate ones each time, in light of the abovementioned elements.
Basically, the introduction of the concept of “accountability” determines the burden to adopt a new approach in the management of data protection for individual organizations. On the one hand, the GDPR gives the Data Controller more discretion to decide how to protect the data, for example abandoning the concept of “minimum security measures”. On the other hand, however, this greater freedom is accompanied by the Controller’s obligation to demonstrate the reasons that led to the adoption of a specific decision, as well as to document those choices.
The abovementioned change of perspective may also affect the means employed within each single organization to ensure compliance with the principles contained in the new regulation. For example, the progressive digitisation process could involve aspects related to the management of the necessary measures with respect to personal data protection, in view of the computerisation of the underlying processes and traceability of the choices made.