What is the declaration of accountability?
A data controller responsible for processing personal data must be able to demonstrate compliance with the law. This also includes being able to demonstrate the effective operation of measures taken to protect personal data. Accountability has been further elaborated by the Dutch Data Protection Authority. Through an accountability review, an organization can demonstrate that it is accountable according articles 5, second paragraph, and 24 GDPR.
Data processors who are contracted to a data controller must also account to the controller for their compliance with the GDPR. The data controller must review the accountability of the processor, before being able to use the review to demonstrate his own accountability.
An accountability study makes it possible for the management of an organization, whether a controller or a processor, to demonstrate accountability.
The accountability review meets the requirements of governance and compliance as laid down in section 2:391, subsection 5 of the Dutch Civil Code, and elaborated in various codes of governance. The results of the accountability review can be included in the assurance activities of, for example, the chartered accountant auditing the annual accounts. The accountability review consists of the following:
- Compliance with legal policies and baselines;
- Presenting the organization’s maturity level to society by statements of the leadership of the organization, the DPO’s report and internal control by an internal or external professional; and
- Implementation of an appropriate internal control program, based on evidence that demonstrates the effective operation of the management and security measures that have been put in place.
It is about establishing compliance with relevant laws and regulations.
The accountability survey has been elaborated by DPOs, Registered Accountants and Registered IT Auditors and is applied by a variety of companies and institutions. The accountability review is supported by IT resources.
Duthler Associates collaborates with a Trusted Third Party (TTP), MYOBI, to establish the maturity level of the organization to society. Examples are:
- Lister (Dutch)
- PWN (Dutch), registration in the register; and
- Zonnehuisgroep Noord (Dutch), registration in the register.
The accountability study meets several legal frameworks, provides the management of the organization the possibility to comply with the accountability requirement at a speed of ‘what is possible’, and creates the possibility to assign the internal control task as much as possible to the organization’s own employees. The advantages at a glance:
- Creates and demonstrates effective compliance with legislation within the capabilities of the organization;
- Offers a useful accountability and communication tool for all those involved, including user groups, employees’ council and society. The management of the organization demonstrates its respectful and honest handling of personal data. Those involved are taken seriously;
- By using comprehensive legal policies and baselines, one accountability review and one accountability statement can be used for several supervising bodies. This is not only effective but also cost-efficient;
- The results of the surveys are recorded automatically and systematically. This creates management information aimed at improving internal control; and
- The liability and cost risks of non-compliance are made manageable for the organization, the management and the DPO.
Duthler Associates arranges the process of carrying out accountability reviews. This involves the use of appropriate legal policies and baselines. Internal control employees are supported by IT. The professionals of Duthler Associates can assist the internal employee or assume this role.
Would you like to know more or use our accountability review? Please contact us. We are delighted to meet you.