Introduction and background to accountability
The GDPR formally embeds accountability into EU data protection law. Accountability means the obligations an organisation must meet to show and evidence its compliance. It is not brand new: it first appeared in the 1980 OECD Guidelines and was implicitly supported by the original Directive through the duty to register or notify processing with national DPAs. Regulators now want more than a tick-box exercise - they want a culture of data protection embedded in a company's 'corporate DNA'. France's CNIL went further with a Standard of twenty-five governance requirements that lets compliant companies earn a 'privacy seal'.
Accountability is best understood as the different obligations an organisation must meet to show and evidence its compliance with the data protection framework. The concept means different things in different contexts, but at its core it is about proof, not paperwork.
It is not a new idea. It was first outlined in the 1980 OECD Guidelines, and the original Directive addressed supporting issues - notably the duty for organisations to register with or notify their national DPAs of intended processing. Formally naming 'accountability' in the GDPR is meant to push organisations beyond a tick-box exercise toward a genuine culture of data protection embedded in their 'corporate DNA'.
France's CNIL published a Standard with twenty-five separate requirements for privacy governance (internal/external policies, DPO appointment and status, audits, handling access requests and breaches). Companies that comply can obtain a privacy seal.