The Information Commissioner of the Isle of Man has issued guidance on “accountability” under GDPR.
Key takeaways:
- You need to develop, embed and maintain a culture of data protection in your processing activities, with compliance demonstrably supported from the top.
- All processing of personal data should be subject to overview, governance and demonstrable compliance.
- Key components:
- Effective data protection policies and procedures, in particular regarding security arrangements
- Records of processing activities
- Ongoing review and testing of security arrangements, and compliance with policies and procedures.
- Providing staff appropriate and regular training in the relevant policies and procedures.
- The appointment of an autonomous data protection officer (DPO)
- Regular monitoring, review and revision is required to ensure that processes, procedures and documentation remain fit for purpose, reflect the realities of the processing undertaken and are adhered to by staff, processors and others.