The Dutch Autoriteit Persoonsgegevens AP) states the following about 'accountability': "The General Data Protection Regulation (GDPR) places the responsibility on you as an organization to demonstrate that you comply with privacy rules. By fulfilling your accountability, you make an important contribution to protecting people's fundamental right to privacy. The GDPR rules require you to carefully consider how your organization processes and protects personal data. Accountability means that you must be able to demonstrate that your processing operations comply with the rules of the GDPR."
Chapter 4, with Article 24 deals with compliance measures. It sets requirements for the data controller and the use of a compliance framework. Of course, the AVG is not a checklist, see the article on the 'principles of the AVG'. The AVG generally deals with issues such as: ethics, integrity, values and principles.
Yet the "hard side" of the AVG is also important. The AVG is a risk-based regulation. This means that a data controller must have an overview of all risks related to personal data processing and implement mitigating measures for them.
Article 24 of the AVG states that, taking into account the nature, scope, context and purpose of the processing, a controller must implement appropriate technical and organizational measures to ensure and demonstrate that processing is carried out in accordance with the AVG. Those measures shall be reviewed and updated as necessary.
Thus, Article 24 contains two important aspects: 1. The principle of demonstrability and 2. A PDCA cycle.(1) In summary: the accountability principle. In a beautiful sentence: the controller must demonstrably comply with the AVG in continuity.
This is a far-reaching(compliance) obligation, where methodologies such as a Control Framework can be very helpful. With a framework of standards based on the AVG obligation, control measures can be determined and these 'controls' must be implemented periodically. This provides a picture of the extent to which the organization is privacy-compliant with the requirements of the AVG. The trick here is to get the most reliable results with a minimum of control effort. If it is periodically checked whether all control measures are in order, it can be demonstrated that the organization is 'in control' in the field of the AVG.
(1) PDCA: Deming 's circle is based on its collaboration with Walter A. Shewhart who is considered one of the founding fathers of Total Quality Management. W. Edwards Deming (1900- 1993) is known for the Plan-Do-Check-Act cycle, abbreviated as PDCA cycle and more commonly known as the Demingcircle.
Back to file Accountability
