Accountability is not a box-ticking exercise. Being responsible for compliance with the GDPR means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.
If you are a smaller organisation (e.g. a GP Practice) the ICO says you will most likely benefit from a smaller scale approach to accountability. Amongst other things you should:
- ensure a good level of understanding and awareness of data protection amongst your staff;
- implement comprehensive but proportionate policies and procedures for handling personal data; and
- keep records of what you do and why.
Article 24(1) of the GDPR says that:
- you must implement technical and organisational measures to ensure, and demonstrate, compliance with the GDPR;
- the measures should be risk-based and proportionate; and
- you need to review and update the measures as necessary.