Can your organisation evidence its compliance with the UK GDPR?

Monday 8 November 2021

Organisations are required to take responsibility for what they do with personal data and be able to demonstrate that the steps in place protect people’s rights (Accountability Principle). This is one of the key principles of the UK GDPR which places an onus on organisations that act as data controllers* to operate in a UK GDPR compliant manner and be able to provide evidence to demonstrate such compliance when requested to, in particular by the Information Commissioners Office (ICO).

There are a variety of measures (proportionate to the relevant risk) that an organisation can put in place to help demonstrate such compliance, for example:

• having a data protection policy;
• taking a “data protection by design and default” approach;
• ensuring written contracts are in place with organisations that process personal data on your behalf;
• maintaining documentation of your processing activities;
• maintaining documentation of requests received from data subjects to exercise their rights;
• information governance policies and procedures on data retention, information security and data breach notifications;
• appointing a data protection officer (where appropriate);
• carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals interests;
• maintaining documentation of any personal data breaches and
• implementing appropriate security measures.

Compliance with the Accountability Principle is an ongoing obligation. This means that the measures that an organisation has in place to help demonstrate their compliance must be regularly reviewed and, where necessary, updated.

The ICO has produced useful guidance on this and has also made available an accountability toolkit for organisations to use to help assess, report and improve their data protection compliance.

It is important to note that failure to have the appropriate measures in place to evidence your organisation’s compliance may result in an investigation by the ICO and can ultimately lead to a fine being imposed up to the amount of £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

*please note some of these obligations also apply to data processors.

If you would like any assistance in further understanding how your organisation can comply with this principle or have any other data protection related issues, please email or call Blacks’ Corporate Law team on 0113 207 0000.