Navigating data protection accountability: how to meet statutory requirements

Data protection law is designed around six principles that data controllers must adhere to. The principles are that personal data must be:

1. used lawfully, fairly and transparently
2. collected and used only for specified, explicit and legitimate purposes (purpose limitation)
3. adequate, relevant and limited to what is necessary (data minimisation)
4. accurate and kept up to date (data accuracy)
5. only kept for as long as is necessary (storage limitation)
6. kept secure

However, it is not enough to say that you comply with the six principles, you must demonstrate how you comply with them. This is known as the Accountability Principle. Whilst not officially a principle, this is a requirement of the UK General Data Protection Regulation (UK GDPR).

The key to accountability is ensuring that you have documented policies, procedures, assessments and logs which you keep up to date and which govern your data processing activity. Some of these are set out in the UK GDPR as mandatory, so we have extracted and summarised these to save you an arduous trawl through the legislation.

ICO fee

Unless an exemption applies, you must pay a small fee to the Information Commissioner’s Office (ICO). The ICO self-assessment tool is quick, anonymous and will tell you whether you need to pay a fee and the amount of that fee.

Privacy policies

You must give people certain information about the personal data you process about them. This includes amongst other things your purposes and lawful bases for the processing, the nature of any third parties with whom the data will be shared, whether it is transferred outside the UK, how long it is kept for, and information about individuals’ rights under data protection law.

If you have a website, this is an ideal place to host a privacy policy for your website visitors, customers, and other relevant third parties. You will also need to provide one to your staff, usually in a staff handbook.

Cookie policies and consent management tools

On the subject of websites, there are certain requirements relating to the use of cookies.

You must identify the cookies you propose to use, whether they are operated by you or by third parties (such as Google), and how long they will be set for, in a cookie policy which website users may read before they provide consent to the placement of cookies on their browser or device.

Cookies may only be placed after users have freely given informed consent. This is usually obtained by a pop-up or slider which appears when a user first lands on your site. Using a consent management tool, users may select which categories of cookies they are happy with. For example, they may be happy for functional cookies to manage their shopping cart but object to the use of targeting cookies to place ads for your products on third party pages which they later happen to browse.

Consent records

This seems like a good time to mention that you must be able to demonstrate that you have received consent to the processing of personal data when you are relying on it as a lawful basis. Whilst the law doesn’t specifically tell you to keep a consent log, we suggest that you do. The log should detail when and how consent was provided and the scope of that consent. You can also refer back to and update this log when enabling any withdrawal of consent.

Records of processing activity (ROPAs)

Data controllers and data processors must fully document the personal data they process unless they employ fewer than 250 people and do not carry out high risk processing activity. A template record designed to meet statutory requirements, populated with examples, is available on the ICO website. The ICO can ask to see ROPAs so it is important that you have them and keep them up to date.

Appropriate Policy Document (APD) for the processing of special categories of data and criminal data

It is actually the Data Protection Act 2018 which requires controllers to create and maintain this policy. If you employ any staff, you will naturally process information about sickness absence at least, and will therefore this requirement will apply to you.

Your APD must set out the categories of data you process, your lawful bases and purposes for doing so and how you will treat and protect that data in accordance with the six principles. It is an internal document which generally lies dormant apart from any updating if your processing activity changes, but it must be shared with the ICO if requested.

Breach records

All personal data breaches must be recorded, even if they don’t reach the statutory reporting threshold. You must document the facts and effects of the breach, actions taken to contain it, your assessment of risk to individuals, and improvements you have implemented to prevent reoccurrence. If you do not consider that the breach needs to be reported, you should record this decision and your reasons.

Compliant contracts with data processors

If you engage a third party to provide services which involve processing personal data on your behalf, such as an outsourced payroll service, you must have a written agreement in place with them which obliges them to:

• only process the data on your instructions
• ensure that it is kept confidential
• keep it secure
• only appoint a sub-processor with your permission
• not transfer the data outside the UK without your permission and without appropriate safeguards
• co-operate with you to ensure timely breach reports and responses to data subject rights requests
• keep records of compliance with these obligations and allow you to audit their records and facilities so that you can comply with the Accountability Principle.

Impact assessments

If your processing activity is likely to result in a high risk to the rights and freedoms of individuals, you must perform a Data Protection Impact Assessment (DPIA). A DPIA helps you to identify risks and measures to reduce these risks. A template DPIA is available on the ICO website. DPIAs are particularly necessary where you are using new technology and/or monitoring individuals on a large scale.

You must not start your processing activity until your DPIA is complete. If you cannot reduce the risk of your processing activity and still wish to proceed with it, you must consult with the ICO.

If you are relying on legitimate interests as your lawful basis for processing personal data, you are required to balance those interests against the right and freedoms of individuals. This is called a Legitimate Interest Assessment (LIA) and template assessment is available on the ICO website.

Other non-mandatory, but sensible, policies and procedures to adopt to achieve your accountability requirements are a data protection policy, an information security policy, a breach management procedure and a procedure for managing and logging individual rights requests. You might also consider having policies governing home working, clear desks and using personal devices for work purposes.

If you would like help in implementing any of the measures described in this article, or have questions about other data protection areas, please do get in touch with our Data Protection Team.