Accountability: DPIAs, Records, Privacy by Design & the DPO

Accountability, the seventh principle from Article 5(2), becomes concrete in Domain four. Article 24 makes the controller responsible for implementing appropriate measures and being able to demonstrate that processing complies with the GDPR. The Body of Knowledge then lists the practical accountability tools, and the exam tests each: data protection by design and by default, records of processing, data protection impact assessments, the data protection officer, and auditing.

These are the things you can show a regulator to prove compliance. Let's take the most examined ones in turn, with the trigger that makes each mandatory, because the exam loves the word mandatory.

Article 25 sets out data protection by design and by default. By design means you build data protection into your systems and processes from the very beginning, not as an afterthought, implementing measures like pseudonymisation and data minimisation at the design stage. By default means that, out of the box, only the personal data necessary for each specific purpose is processed, the privacy-protective setting is the default, not something the user has to switch on.

A social network that defaults new profiles to private, rather than public, is honouring privacy by default. The principle applies across the lifecycle, from initial design through operation. Expect the exam to test the difference between by design, the build-it-in idea, and by default, the strictest-setting idea.

Article 30 requires records of processing activities, often called a RoPA. Both controllers and processors must maintain a written record, including in electronic form, of their processing. For a controller, the record includes the purposes of processing, the categories of data subjects and personal data, the recipients, any transfers to third countries, the envisaged retention periods, and a general description of the security measures.

There is a partial exemption for organisations with fewer than two hundred and fifty employees, but, and this is the exam trap, it does not apply if the processing is likely to result in a risk to individuals, is not occasional, or involves special-category or criminal-offence data. In practice, almost every serious organisation keeps a RoPA. The record is a cornerstone of demonstrating accountability.

Article 35 requires a data protection impact assessment, a DPIA, when a type of processing is likely to result in a high risk to the rights and freedoms of individuals. Article 35(3) names mandatory triggers: a systematic and extensive evaluation based on automated processing, including profiling, that produces legal or similarly significant effects; large-scale processing of special-category or criminal-offence data; or systematic monitoring of a publicly accessible area on a large scale. Supervisory authorities also publish their own lists of operations requiring a DPIA.

The DPIA must describe the processing, assess its necessity and proportionality, assess the risks, and set out the measures to mitigate them. And under Article 36, if, after mitigation, a high residual risk remains, you must consult the supervisory authority before starting, that is prior consultation. The high-risk trigger and the prior-consultation step are prime exam material.

Articles 37 to 39 cover the data protection officer, the DPO, and the exam tests exactly when one is mandatory. Under Article 37, a DPO must be appointed in three cases: where the processing is carried out by a public authority or body; where the core activities consist of regular and systematic monitoring of data subjects on a large scale; or where the core activities consist of large-scale processing of special-category or criminal-offence data. The DPO must be independent, cannot be instructed how to do the role, reports to the highest level of management, and must not have a conflict of interest, so the head of marketing or IT usually cannot double as DPO.

Article 39 lists the DPO's tasks: to inform and advise the organisation, monitor compliance, advise on DPIAs, train staff, and act as the contact point for the supervisory authority and data subjects. Memorise the three mandatory triggers.

So accountability is a toolkit. Article 25 requires data protection by design, building privacy in, and by default, strictest settings out of the box. Article 30 requires records of processing for both controllers and processors.

Article 35 requires a DPIA whenever processing is likely to be high risk, with mandatory triggers and prior consultation under Article 36 if high residual risk remains. And Articles 37 to 39 require a DPO in three defined cases, and protect the DPO's independence. Auditing ties it together by checking that all of this works in practice.

Next, we look at the regulators who enforce it: the DPAs, the EDPB, the EDPS, and the one-stop-shop. First, go test yourself on accountability.