CIPP/E Study Guide
IAPP Training · Module 10 - BoK IV.B

Module 10 · Accountability defined (Article 24)

Article 24(1) makes the controller responsible for implementing appropriate technical and organisational measures to ensure and be able to demonstrate that processing complies with the GDPR, and for reviewing and updating them - a risk-based approach. Though the article names controllers, processors also have accountability duties (e.g., recordkeeping) and must support controllers; a processor is itself a controller for its own employee data. In practice accountability means data protection by design and default, DPIAs, records of processing and appointing a DPO where needed. Regulators can audit and inspect.

Article 24(1): taking into account nature, scope, context, purposes and risks, the controller must implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing complies with the GDPR, and review/update them. This is a risk-based approach.

Processors are accountable too

Although Article 24 names controllers, processors also have accountability duties (e.g., recordkeeping) and must support controllers. A processor is itself a controller for its own employee data.

  • In practice accountability means: data protection by design and default; DPIAs; records of processing; appointing a DPO where needed.
  • Regulators/DPAs can audit and inspect premises, equipment, written systems and operations, and issue warnings or halt activities.

Key terms - quick answers

What is “Accountability”?
The Article 24 duty to ensure and be able to demonstrate compliance with the GDPR, with measures reviewed and updated over time.
What is “Risk-based approach”?
Calibrating accountability measures to the nature, scope, context, purposes and risks of the processing.
What is “DPIA”?
Data protection impact assessment - one of the practical mechanisms accountability requires.
What is “DPO”?
Data protection officer - appointed where required as part of demonstrating accountability.