The GDPR is designed to ensure organisations are more accountable for their personal data processing activities.

This is emphasised by the fact that there is a new obligation to report data security breaches to the ICO within 72 hours of becoming aware of the breach and by the maximum level of fine that can be administered (€20million, or 4% of global annual turnover if higher). Hacking issues and leaks that have occurred over the past year or so emphasise the need for having a plan in place to contain and manage a data breach.

Accountability makes you responsible for complying with GDPR and means that you have to be able to demonstrate your compliance on an on-going basis and should a regulator later ask you for evidence. It can apply to any aspect of GDPR compliance, including for example:

  • Implementing appropriate data protection policies and data security measures; 
  • Implementing appropriate training, awareness raising, monitoring and audits; 
  • Ensuring you have a record of processing activity where required; 
  • Ensuring you have appointed a Data Protection Officer where required; 
  • Adopting “data protection by design and by default”, and where appropriate carrying out data protection impact assessments; 
  • Having appropriate written contracts in place when engaging others to process data on your behalf.

The focus on accountability should also have an impact on record keeping relating to decision making under the GDPR. For example, you’ll need to keep a record of your assessment as to whether the legitimate interests condition for processing is met, and any decisions to supply or withhold information in response to a subject access request.

Practical steps to take now

  1. Review the existing procedures you have for dealing with breaches – for example: 
    - Are the right people involved, both to take decisions and to undertake technical activities to try to minimise the scale of breach and consequences on data subjects?
    - How are the right people going to be contacted if a breach is discovered at 5.45pm on a Friday or midday on a Sunday?
  2. Download our checklist and keep the right records so you are able to demonstrate compliance.

Main contacts

Contact one of our lawyers to discuss your GDPR concerns.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R
Register or login

Register or login Get all the benefits of MyM&R but registering or logging in ulla vehicula mauris mattis hendrerit fermentum. Etiam placerat hendrerit dapibus. Praesent ligula felis, eleifend sed odio quis, feugiat eros. Aliquam vitae felis fermentum, posuere nulla ut, maximus magna.

Staff intranet
Log in to the intranet
Client extranet
Log in to the extranet