Part 2 – Ignore Accountability…
At the heart of the new General Data Protection Regulation delivery is accountability. It’s embedded in the GDPR and is critical to organisational readiness: ignore it and you’re sure to fail. It is not to be confused with responsibility, accountability is assigned by circumstance rather than management process, and it cannot be delegated or mitigated.
To quote Information Commissioner Elizabeth Denham in January this year:
“I want to explain how accountability is at the centre of all of this: of getting it right today, getting it right in May 2018, and getting it right beyond that… The GDPR mandates organisations to put into place comprehensive but proportionate governance measures… It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.”
To accept accountability, your organisation needs to set the tone for GDPR delivery from the very top, and ensure that accountability runs through the management like a stick of rock. It’s mandated in Article 5.2, so there’s no getting away from it.
Accepting accountability is your organisation’s greatest delivery asset because it will ensure that everyone in your organisation understands their role in delivering GDPR and protecting data, and acts accordingly. Each business unit must recognise their accountability, and take responsibility for their own delivery of GDPR readiness. If you treat data protection and GDPR as issues that can be tucked away somewhere in an arm’s length delivery team, then you are guaranteed to fail. The business needs to own the issue.
Accountability is also your organisation’s greatest protection if you are subject to a complaint or investigation. If your controls aren’t up to scratch, or you’ve maybe made some poor decisions about your GDPR delivery, but you can demonstrate that you have accepted accountability for GDPR, and committed appropriate resources; then that will be a significant mitigation in your favour. Specifically, you need to:
- Set the tone from the top through a board-level (or equivalent) policy that assigns the priority, resources and budgets for GDPR delivery
- Ensure that each member of the board understands their accountability for delivery and acts accordingly
- Check that responsibilities have been suitably assigned and that the individuals tasked with delivery have been empowered to do so
Accountability costs nothing and is the most effective tool you have available to you, and the most certain way to fail at GDPR delivery is to ignore it.
Please suggest your own GDPR Dumb Ways to Fail in the comments below and we’ll add them to the list to be tackled in the coming days.