Whether you work in the private, public or third sectors, education or healthcare, Deputy Data Protection Commissioner Rachel Masterton explains why accountability should be at the heart of any successful organisation.
A common phrase when something goes wrong, whether in the public or private sector, is ‘someone needs to be held accountable’. It is a key part of the ongoing UK Post Office public hearings, trying to find out on whose shoulders this heart-rending miscarriage of justice sits. And, one thing seems certain - no-one wants to be that person.
Being accountable means being responsible to someone for something and being prepared to justify your actions, or inactions, to that person. It is not hard to see why it is a difficult position to take.
Being responsible for something is one thing, but being required to explain yourself and why you did or did not take action is quite another. And the nervousness is amplified if the thing you have to justify is not viewed well by others.
Despite what people may think, the concept of accountability has been around in the data protection world for many years.
In 1980, the OECD released ‘Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’, a precursor to modern data protection and privacy legislation, that included a reference to being accountable.
Twenty years after that, in 2000, the first substantial inclusion of accountability was in Canadian privacy legislation, where it formed the first of ten fair information principles.
In the following years, Mexico, Hong Kong, Colombia and Australia all introduced accountability mechanisms into their privacy requirements but it was not until the advent of the GDPR that accountability became part of European data protection.
Here at home, on the Glorious 25th of May[1], the Bailiwick’s new data protection law came into effect and brought with it the concept of accountability.
This means organisations processing personal data are responsible to the regulator and the people whose data it is and, importantly, are required to be able to justify what they are doing with that data, in essence, how they are complying with the Law.
Why accountability is important
Embracing accountability and acting proactively has benefits beyond simply meeting your legal obligation. Individuals have a number of rights under the Law that they can exercise that will require, at the very least, a response from your organisation and, more often than not, for some action to be taken.
An accountable organisation is ready for these, knows what they look like and how to respond, getting it all done well within the one-month response period.
This reassures the individual and us at the ODPA that the organisation is engaged and taking its obligations seriously. It may not always be the right response but you get credit for acting quickly and taking it seriously.
The same goes for any breaches that may occur. As we mentioned in a previous article (just last month, in fact), it is more a case of ‘when’ you have a breach than ‘if’.
And when you do, having a full understanding of your systems, the data within them, the risk level, threats and how to put things right serves you much better than scrabbling around designing an incident response plan on the hoof.
An appropriate mix of concern, calm and control, following the process put together when there was the time and space to work through different options and decide an optimal approach looks much better to us and those whose data is impacted.
Accountability also plays a big part in building and maintaining good relationships with staff, service users and anyone else whose personal data your organisation relies upon.
An accountable approach will foster trust and confidence and ultimately give you a competitive edge over other organisations that only pay lip-service to data protection compliance.
Time and again we see from breach reports and complaints that the attitude of the organisation when something has gone wrong makes a big difference to how the individuals feel about the problem.
And organisations are catching on to this, being open and honest about problems with those they affect, which is always received better than a ‘head in the sand’, ‘it wasn’t me’ approach or just plain hoping no-one will notice.
How do we embrace accountability?
The first act of accountability is to take responsibility, to lead from the top, to be the one that stands up and says, ‘it rests with me’.
Data protection should be a standing item on board agendas and at least one line on the risk register.
It should be valued as a business enabler, not as something that gets in the way, and everyone in the organisation should be aware of the part they play.
The next step is a paradigm shift, from viewing the Law as stark legal obligations that need to be ticked off, to a collection of tools that will help you ‘do’ data protection well and demonstrate your accountability.
The various requirements, including data processing notices, records of processing activities and data protection impact assessments, all help to guide your compliance journey and to be able to show what data you have, what you do with it and how you consider it as an organisation.
View these measures as part of the solution rather than the problem, to help you meet the challenge of ensuring that the rights of individuals and the protection of their personal information are respected.
And they are substantive documents you can use to demonstrate your commitment to data protection should the regulator come calling, an infinitely better answer than “hmm, I’ll see what I can remember about why we’re doing it that way”.
How can we help?
Whilst the Law requires us to regulate and enforce the Law, we also have a role to assist organisations to get it right, a prominent commitment in our Strategic Plan 2023 - 2026.
To this end, we are launching a survey to understand the measures controllers and processors currently have in place to ensure compliance and demonstrate accountability. The results will be used to provide additional guidance where needed and to drive our accountability work to allow us to better support you.
Accountability is not just important for controllers and processors. The ODPA needs to be accountable too, both for our own processing and for the delivery of our statutory functions.
Therefore, in order to assess the value of the support we provide, there are questions at the end of the survey giving you the opportunity to feedback on how we are doing. We welcome your feedback – fully embracing the words of author and digital leader, Pearl Zhu, “Accountability means to say what you do, do what you say”.
You can take part in the survey at www.odpa.gg/consultation
[1] ‘Wear lilac if you were there’, concept from ‘Night Watch’ by Sir Terry Pratchett
&
Indulge