Skip to content

What is ‘accountability’?

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, launched the “Accountability Initiative” in June 2016. In a speech before the European Court of Justice, he explained what accountability means:

  • ensure transparent internal data protection and privacy policies. These must be approved and actively endorsed by the highest level of management of the organization.
  • ensure appropriate and effective internal processes and tools to implement these policies. This ensures that the principles and obligations of data protection are adhered to and that data subjects are adequately protected against risks arising from the processing of their personal data.
  • informing and educating all people in the organization on how to implement these policies.
  • at the highest level lies the responsibility to monitor and assess the effectiveness of this implementation. From this monitoring and measurement, the organization must be able to demonstrate the quality of the implementation to external stakeholders and supervisors.
  • the organization must establish procedures for remediation of poor compliance and data breaches.

Buttarelli also uses the “notion of accountability” to relate it to the ethical aspects of data protection.

The management is accountable for the effectiveness of the internal data protection and privacy policy and is accountable to society in this respect. Accountability is thus in line with good governance as referred to in Section 391.5 of the Dutch Civil Code2.

The management of an organization can only express an opinion on the effectiveness of the control measures taken if proof of this has been systematically recorded in an administration and compliance activities can be carried out on the administration.

Accountability is evidence-based and facilitates compliance aimed at complying with the GDPR and the policy.

Auditability is risk-based and facilitates assurance aimed at establishing the accountability of the effective operation of data protection and privacy policies.