Talking to… Carina Lopes About Accountability Requirements to GDPR Compliance

Carina Lopes started at LOQR in August 2021 as part of the Legal & Compliance team. She graduated in Law at Universidade do Minho, where she completed a postgraduate study in Contract and Company Law. Carina also has a background in Alternative Dispute Resolution and Mediation and Privacy and Data Protection. Currently, she is an invited lecturer of Digital Law at IPCA, and, in this conversation, she will talk a bit more about Accountability Requirements to GDPR Compliance.  

Carina, can you tell us more about the importance of this topic? 

The General Data Protection Regulation (GDPR) has formally embedded the requirement of accountability into the data protection legislative framework. It describes and extends the overall accountability of organizations that process personal data. 

‘Accountability’ refers to the different obligations an organization must comply with to show and evidence compliance with the data protection framework.  

Over the last 20 years, there has been an intensive debate about how organizations can better embed data protection within their businesses and operations. The GDPR is intended to achieve that outcome.  

A tick-box exercise is no longer an approach to companies: they must show that they have developed and embedded a data protection culture within their corporate DNA. Simply implementing policies and procedures, or completing and submitting registration forms, is no longer sufficient to establish the essential data protection credentials.  

To achieve the aimed accountability (one of the data protection principles), companies that determine the purposes and means of the processing of personal data (controllers) must also be guided by six other principles relating to the processing of personal data: Lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.  

The thing with accountability is that companies are not only responsible for complying with those principles, but also, crucially, they must be able to demonstrate their compliance with them.  

To demonstrate will be the key to accountability.  

What is the first thing to do in this subject?  

For companies to achieve and demonstrate accountability, they must, first, achieve a culture of data protection within their organization. That is achieved by incorporating and implementing several key requirements. Those requirements include, amongst other things, developing appropriate privacy policies and embedding good privacy standards and practices expressly within the corporate operations. And, ultimately, we will face the corporate culture.   

For instance, as part of developing new products and services, consideration should always be given to ensuring the privacy and protection of personal data during development phases. This must become part of a company’s overall approach to be built toward a clear picture of its data processing activities. That directly impacts the understanding of whether some action has a higher risk or lower, determining how to act, protect, and mitigate those risks. So, as you can see, how each employee understands these processes and their impact on delivering their organization’s privacy framework is crucial. We can invest in technology, but no technology can control a company’s culture and the employee’s will and ability to comply with the processes created.  

What are the key steps that ought to be considered to ensure compliance by companies?  

Among others, at the core of compliance for the data controllers and processors is an internal data protection strategy, beginning with an Internal Policy which outlines the basic contours of the steps to take in the processing and handling of personal data: it should include a brief statement that explains both to whom the internal policy applies and the type of processing activities it covers, as well as set out the company’s commitment to Privacy Standards and It’s position on personal data related processes.   

It should address the employees’ responsibilities in the different areas for which they are directly responsible when processing personal data, limitations around the processing or transfer of the collected personal data (vital when personal data ought to be sent outside of the European Economic Area), and, ultimately, its accuracy and prevention for unauthorized access or loss.  

An incident reporting framework should express the importance of any employee immediately reporting all incidents that involve the suspected or actual loss, theft, unauthorized disclosure, or inappropriate use of personal data. Where a company’s third-party service provider (i.e., one who processes or has access to company-related personal data) notifies the company of such an incident, then the steps to be taken by employees should also be clarified in the policy. But most important is to put incident response teams in place.  

Companies must demonstrate and provide information to Data Protection Authorities (DPAs) about the various data protection themes and reports, and management resources and take primary responsibility for the internal data protection framework to ensure internal compliance and be updated regularly.  

With the same level of importance, companies should create internal training programs tailored to its growth: frequency and format tailored to their business and operations activities, roles, and responsibilities of the different employees. The training should also be designed to address and inform employees of the legal data protection obligations and the company’s policy requirements, including the related policies created to support them. This should be documented and monitored.  

Nevertheless, if companies have more detailed policies, there should be appropriate cross-referencing between the different policy documents. In any event, there should be sufficient detail contained within this part of the internal policy statement to enable employees to understand what steps they must take regarding how they are permitted to handle personal data.  

As contained in the internal data protection policy, the’ security obligations’ are usually addressed more fully in a separate company’s information security policy. The two policies should, of course, be appropriately and adequately cross-referenced. An information security policy typically addresses the more detailed technical standards that apply to the physical and digital security of a company’s data. Some companies base these policies on industry standards, such as ISO 27001/2. Although it’s not legally required to do so, it stands for good practice.   

LOQR is currently being certificated on ISO 27001, always seeking maximum security and compliance.  

Companies should also be creating and delivering regular messages and updates to remind employees of their privacy obligations. Procedures should be created for employees to seek clarification of their obligations and responsibilities regarding personal processing data.  

What is privacy by default and by design?  

For me, this is one of the essential points of this aimed accountability.  

Data protection by design and by default (‘privacy by design and default’) are additional new requirements under the GDPR which can be described as the different ‘technical and organizational measures that companies that are data controllers are required to implement as part of their overall approach to protecting the rights and freedoms of individuals concerning the processing of their data. This includes the integration of any necessary safeguards into processing activities.  

On the one hand, privacy by design does not apply only to the planning and execution stages of new developments. Logically, it should also address the ongoing operation and management of such developments to enable companies to deal effectively with the entire lifecycle of any personal data the company processes.  

For companies at the product design stage to fulfill their obligations under Article 25 of GDPR, those responsible for design and development should create products with a built-in ability to manage and fulfill and/or which enable companies that are data controllers to manage and fulfill all data protection obligations under the GDPR.  

In practice, this will impact several areas within a company, such as the IT department, which must take data protection into account for the whole lifecycle of the system or process they are developing. Being a fintech company, LOQR has this in mind, creating this awareness in all its employees.   

On the other hand, we have a specific ‘privacy by default’ obligation. This demands companies to implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed: companies should take steps not only to limit or minimize the amount of personal data they collect but also to exercise greater controls over the extent of their processing, as well as only personal process data to the extent necessary for their intended and stated purposes.   

In practice, this could mean that the strictest privacy settings apply automatically once a customer acquires a new product or service.   

But unhelpfully, the GDPR does not specify the technical steps companies should take to comply with those obligations, so when implementing appropriate technical and organizational measures, companies could implement measures as minimizing the amount of personal data being processed, pseudonymization, and allowing individuals greater control over their data and visibility over what it is being processed. Other measures include applying appropriate security standards to the personal data held.  

Carina, if you had to define LOQR in one sentence, which would it be?   

With the goal of “Empowering digital Lives,” LOQR is a driver of digital transformation, keeping people’s lives digitally safe and compliant.