Accountability in the General Data Protection Regulation (AVG) is an important element that must be secured in the operations of organizations. A Privacy Management System is supportive in this regard, and without such a system, there is a high risk of things being forgotten and a significant chance that the organization is not "privacy compliant.

Background

As early as 1980, the OECD Guidelines on the Protection of Privacy and the Transborder Flows of Personal Data talk about accountability, and the Data Protection Directive and the Personal Data Protection Act (Wbp) also include some form of accountability. Over the past 20 years, however, there has been much discussion about how (compliance with) personal data protection can be even more firmly embedded within the business operations of organizations. The outcome of this discussion is reflected as accountability in the General Data Protection Regulation (AVG).(1)

The accountability obligation from the AVG

Art. 5(1) AVG provides the principles regarding the processing of personal data (including with regard to lawfulness, purpose limitation, accuracy, storage limitation and confidentiality).

Art. 5(2) AVG obliges the controller to comply with these principles and must be able to demonstrate it. The controller must establish an "appropriate data protection policy" (Art. 24 AVG) with technical and organizational measures to ensure and demonstrate that processing is carried out in accordance with the regulation. And in case the controller engages processors, it must also impose obligations on them to ensure compliance also in relation to the processors (Art. 28).(2) The measures should be evaluated and updated if necessary. This means introducing a PDCA cycle.(3)

In addition, the controller must place responsibilities within its organization to ensure compliance with privacy obligations and ensure awareness and training of personnel involved in the processing. A (mandatory) data protection officer (FG) oversees the data controller's compliance with the AVG.

In a register, the controller must keep track of the processing activities (Art. 30 AVG) and thus also demonstrate compliance with the AVG. The register must be shown to the Personal Data Authority (AP) upon request and is thus also an elaboration of the accountability obligation of Art. 5 (2) AVG.

Accountability and the auditor

Failure to comply with the AVG can result in a substantial fine of up to, depending on the type of violation, EUR 20,000,000 or 4% of the total worldwide annual turnover.(4) This is material and requires the auditor to understand the processing of personal data by the organization in question, the applicable requirements of the AVG, and how these requirements are met. If (potential) violations of the AVG are identified, this may potentially result in a provision, liability or disclosure to be included in the financial statements. An organization may also need to make substantial investments to become AVG compliant.(5)

Data protection framework

To demonstrate that an appropriate data protection policy is in place, the use of Privacy Management Software is often a godsend. With this software, you set up a "data protection framework" and secure privacy as - an improvement-oriented - process within the organization.

Footnotes

(1) European Data Protection, Law and Practice, IAPP 2018, p. 195ff.
(2) Text & Commentary AVG, Wolters Kluwer 2018.
(3) Deming's Quality Circle is a creative tool for quality management and problem solving developed by William Edwards Deming. The four activities in Deming's quality circle are: PLAN: Look at current work and design a plan for improving this work. Set objectives for this improvement. DO: Carry out the planned improvement in a controlled trial. CHECK: Measure the result of the improvement and compare it to the original situation and test it against the established objectives. ACT: Make adjustments based on the results found at CHECK.
(4) See the Personal Data Authority's penalty policies: Beleidsregels van de Autoriteit Persoonsgegevens van 19 februari 2019 met betrekking tot het bepalen van de hoogte van bestuurlijke boetes (Boetebeleidsregels Autoriteit Persoonsgegevens 2019).
(5) Leidraad voor de AA afl. 103, January 2016 - The accountant and the WBP, mr. dr. Elisabeth Thole and mr. Özer Zivali.