The accountability principle
The key concept of the GDPR is that controllers need to be able to show that their processing activities are in line with the data processing principles determined by the GDPR. The accountability principle in Article 5 (2) means that controllers are responsible for and should be able to demonstrate their compliance with the GDPR data processing principles listed in Article 5 (1).
The GDPR furthermore requires that controllers implement appropriate procedural and technical measures to protect personal data. They need to be able to show that they have taken concrete measures within their capacity to meet their obligations Article 24.
But how do controllers show that they have taken appropriate measures and that processing activities are in line with the GDPR? This requires clear evidence, for example:
Documentation of comprehensive privacy policies;
The appointment of a data protection officer and representatives;
Adopting and following codes of conduct or Binding Corporate Rules;
Keeping records of all data processing activities.
This evidence needs to demonstrate that concrete steps have been taken to comply with the GDPR provisions in order to meet their obligations.
If you want to know more about this topic, you can read the following two articles below.
© University of Groningen