Responsibility of the controller
Accountability is first introduced in Article 5: Article 5(1) lists the six principles, and Article 5(2) adds the new duty that the controller must be able to demonstrate compliance with them. Article 24 codifies this - controllers must implement appropriate technical and organisational measures and review/update them, scaled to the risk. Higher-risk processing demands greater measures. Three practical pillars deliver compliance: internal policies, internal allocation of responsibilities and training. A new data breach must be declared to the DPA within 72 hours.
The six principles of Article 5(1) are: lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. These were familiar from the Directive. The genuinely new addition is Article 5(2): the controller is not only responsible for the principles but must be able to demonstrate compliance with them.
Article 24(1) requires the controller to implement appropriate technical and organisational measures to ensure and be able to demonstrate compliant processing, and to review and update those measures. The measures must reflect the nature, scope, context and purposes of processing and the risks to rights and freedoms. Higher risk demands greater measures. Article 24(2) adds the duty to implement appropriate data protection policies - but policies alone are not enough.
| Pillar | What it covers |
|---|---|
| Internal policies | A core internal data protection policy (scope, policy statement, employee and management responsibilities, incident reporting, compliance/sanctions) |
| Internal allocation of responsibilities | Allocating primary responsibility - e.g. a privacy management team/council and/or an appointed DPO |
| Training | Tailored, documented programmes; monitor rollout and completion rates |
Significant data breaches must be declared to the relevant DPA within 72 hours - a key item to capture in the incident-reporting part of the internal policy.