A simple approach to GDPR accountability with ROPAs (includes template!)
The GDPR (General Data Protection Regulation) outlines seven key principles relating to the processing of personal data.
These are often referred to as ‘data protection principles’ or ‘data processing principles’.
The principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Among organisations that believe themselves GDPR compliant – and among those that don’t – accountability is often the weak link.
In this blog
What does ‘accountability’ mean under the GDPR?
The GDPR says in Article 5(2) that data controllers must be able to demonstrate compliance with the other six principles. Though the GDPR doesn’t give a formal definition for ‘accountability’, its meaning is clear:
You must be able to prove compliance.
This isn’t just a key GDPR requirement, subject to the higher-tier fines.
Meeting this principle ensures an overall approach to data security and privacy that’s effective at addressing your risks, as well as giving you a better return on investment on your measures.
Accountability means being able to show your personal data processing activities are secure and GDPR compliant.
Are your measures effective?
As evident from the many conversations I have with subject-matter experts, organisations tend to implement measures and then forget about them.
But you implement a control to address a risk and bring it down to an acceptable level.
You can’t, however, stop there.
First, confirm that the control is effective:
- Did you implement it correctly, or does it require fine-tuning to get the result you want? Check that your money (and time) were well spent.
- Was the control the best risk treatment option you had? Don’t forget, as with many aspects in business, you make decisions based on your best guess only. There’s no shame in finding out you’re wrong, but that’s no excuse for staying wrong.
Second, risks aren’t static – especially in a world where digital information is prevalent. Cyber threats and vulnerabilities are constantly changing, and risks change with them.
Organisations change, too. Over time, you’ll modify the way you do things – bring in a new system, for example, or amend the way you conduct a certain activity. You may even go through a major change like a merger or an acquisition.
In short, a measure that’s effective today may not be so effective a few months from now.
Why do we need accountability under the GDPR?
The above is why accountability under the GDPR is so important.
It transforms GDPR compliance from a box-ticking exercise into a catalyst to improve the way you operate as a business. It means you’re:
- Managing your risks better – not just to your data subjects (customers, employees, etc.), but also to your organisation;
- Keeping track of what data you’re collecting and why, and destroying data you’re not using or no longer need; and
- Making your processes more efficient and have more confidence in your data.
It’s the difference between creating a ROPA (record of processing activities) as a one-off exercise, and turning that ROPA into a type of asset register of true business value to your organisation.
It’s the difference between just creating policies and procedures, and also generating records that’ll tell you that your processes are working and show a regulator – and other stakeholders – that you are, indeed, GDPR compliant.
The accountability principle entails these types of differences.
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
How to be accountable under the GDPR
One approach is explore the ICO’s (Information Commissioner’s Office) accountability tracker and/or accountability framework. As the UK’s supervisory authority, this is a natural place to start for UK organisations.
But is there a simpler way of showing accountability?
I sat down with Andrew ‘Andy’ Snow, our data privacy trainer and a DPO (data protection officer), to find out.
How would you approach GDPR accountability?
Well, accountability means that you need to be able to point at a [personal data] processing activity and say:
- The lawful basis is [this].
- We’re ensuring purpose limitation like [this].
- We’re ensuring accuracy like [this].
- We’re securing data like [this].
- And so on.
Having clear answers when questioned about anything related to the data protection principles is a good place to start. It shows you’ve thought about the principles and how you’re meeting them.
How can organisations address the data protection principles in a practical way?
I’d start with your Article 30 ROPAs. We’ve previously talked about how you can make them your focal point of GDPR compliance by using them as a ‘one-stop shop’.
[You can read the full interview Andy is referring to here.]
This is precisely how I’ve approached my own ROPA template. I’ve tried to make it a more relevant document for organisations by putting all useful information in one place – not just what the GDPR lists in Article 30, but also cover:
- Accountability;
- How you’ll cater for data subject rights; and
- DPIA [data protection impact assessment] information.
I also use it for data flow information and as a risk register. Those aren’t explicit GDPR requirements, but having that information handy certainly helps you meet other legal and regulatory requirements and keep data secure.
How does using your ROPA like that help keep personal data secure?
Because, if you don’t know what data you have, where it’s going, or what risks are associated with it, how can you possibly protect it? For that matter, how can your business processes be maximally effective?
But if you keep that information together – the kind you’d want to regularly use in day-to-day activities, not just document then forget about – accountability becomes part of business as usual without too much effort, once you’ve put together those ROPAs.
This approach to ROPAs also provides a ‘single source of truth’. It’s like version control in an ISMS [information security management system, ideally aligned to ISO 27001].
If you scatter your documentation, and someone updates a document in one location but not in another, how will you establish which is correct? Will people even realise that there are two [or more] versions of that document?
Whereas if everyone defaults to their ROPA to check the retention period, which also contains hyperlinks to the documented consent, DPIA, etc., that makes for a considerably more coherent approach.
Can you share your ROPA template with us?
Of course! Trainees regularly ask for a copy, which I’m happy to share – I hope it gives people a good starting point.
[We’ve recreated Andy’s template below.]
Thanks a lot, Andy. My final question: for those looking to further automate compliance, or who aren’t keen on spreadsheets, is CyberComply a good solution for demonstrating GDPR accountability?
It most certainly is, but it’ll take buy-in from management for it to work. Without that buy-in, no solution will work in the long run – accountability is something that needs to be baked into the organisation’s culture, which has to come from management.
The organisation must be accountable for every processing activity. It must have due regard for all risks associated with its processing activities.
So, if you don’t have an Article 30 ROPA, and you’re not tracking all these processing activities, how do you even understand the risks from specific activities? [A specific responsibility of the DPO or data privacy lead.]
Accountability needs to be embedded into everything organisations do. Again, it’s having that one-stop shop.
Free ROPA template
Andy’s ROPA template doesn’t fit (legibly) into one screenshot. Instead, we’ve replicated his Excel-based template in segments, which you can easily tailor to suit your needs.
Top rows: Controller, DPO and UK/EU representative contact details (if applicable)
Column group 1: Processing information
Column group 2: Article 30 requirements
Column group 3: Data flow information
Column group 4: Article 5 principles – accountability
Column group 5: Lawful basis
Column group 6: How data subject rights will be catered for
Column group 7: Risk register
Tips: Colour-coding your risks (e.g. green/amber/red to indicate low/medium/high risk) is a good idea. Excel formulas to automatically calculate risks can also speed up this process.
Make sure you clearly define what a ‘low’, ‘medium’ or ‘high’ risk is for a consistent approach across the organisation.
Column group 8: DPIA information
Get a free demo of CyberComply
Our CyberComply platform is designed to support the implementation and maintenance of a wide range of frameworks, including the UK and EU GDPR.
In just one tool, you can:
- Effortlessly create essential documents, including GDPR ROPAs, with pre-populated documents;
- Quickly assess and manage your GDPR compliance gaps;
- Easily identify, map and visualise your data flows;
- Conduct DPIAs quickly in six simple steps; and
- Much more!
Don’t take our word for it
Here’s what our customers say:
Stephen Hurren:
This tool has been a business enabler that allowed us to move away from clunky and ineffective Excel spreadsheets to manage our risks.
I’d highly recommend CyberComply to anyone looking for a value-for-money risk management and compliance platform.
Nikolaus:
CyberComply is an easy and reliable platform to use to fulfil the compliance objectives. Data mapping can be connected with the related data protection impact assessment on one platform.
With increasing demand of data security, we are happy to have this tool.
Felipe:
CyberComply was sourced for being a one-stop, all-in-one product we needed for our compliance and data security needs.
It’s easy-to-use nature, backed up with a sterling set of consultants who maintain it and align to current security frameworks, has made our journey much easier to transition.
It’s also removed our need and reliance on spreadsheets, whilst presenting one single source of truth for all our risks and data protection needs.
We first published a version of this blog in December 2018.
0 Comments