9. Demonstrate compliance with data protection legislation
A controller must be able to demonstrate that it complies with data protection legislation. This is called ‘accountability’. Accountability also means that certain measures must be written down, or documented.
The controller must take all measures required by accountability. Such technical and organisational measures include the provision of training, instructions and orders to personnel, building surveillance, supervision of personal data processing, information system security, data encryption, technical limitations, as well as audit and surveillance systems.
The extent of accountability depends on factors such as the size of the organisation and the volume and types of personal data processed by the controller. The controller must ensure accountability already at the planning stage of processing.
The purpose of accountability is to demonstrate how the controller respects the privacy of the people whose data it is processing. Accountability increases trust in the controller.
The adequacy of documentation and measures must be assessed on a regular basis, for example in connection with Board meetings.
