Package: Compliance

GDPR and Accountability

Perhaps the biggest single change in the GDPR when compared to the DPA is the requirement for accountability – for data controllers (and processors) to create and maintain sufficient evidence of compliance.  Article 5(2) states that controllers, “shall be responsible for, and be able to demonstrate compliance with, “the six data protection principles”.  Article 30 requires controllers and processors to, “maintain a record of processing activities under its responsibility,” which at first glance appears to be in part the mechanism intended to replace the current requirement for data controllers to register with the regulator.  I read into it a broad requirement to maintain records about data processes and data processing per se.  Article 24 refers to controllers being able to “demonstrate that processing is performed in accordance with this Regulation” and there are more references within the 99 Articles and preliminaries that comprise the General Data Protection Regulation.