Data protection risk management: Piece of cake, isn’t it?
How does your organisation manage data protection risks? Would you be able to confidently demonstrate accountability to the data protection regulators if you were required to do so? By Charlotte Reddish, Jenai Nissim and Alison Deighton of Hello DPO.
Many organisations are still struggling to demonstrate one of the most basic requirements of the General Data Protection Regulation 2016/679 (GDPR), the accountability principle. In this article, we set out how organisations can use some of the core concepts of risk management to help demonstrate how they meet the accountability principle and manage data protection risks.
What is the accountability principle?
The accountability principle in Article 5(2) of the GDPR, requires that organisations not only comply with all the data protection principles, but also, that they are able to demonstrate compliance with them. In practice, this means organisations must implement technical and organisational measures (commonly known as “controls”) to demonstrate that the processing of personal data is undertaken in accordance with the GDPR. The consequences of non-compliance can be substantial, therefore effective data protection risk management is fundamental to an organisation’s accountability approach. As an important cornerstone of demonstrating accountability, organisations need to implement a structured way of identifying and managing their data protection risks on an on-going and forward-looking basis. This article sets out some practical steps that organisations can take.