GDPR Accountability Handbook

For each of the 99 articles of the GDPR

For each of the 99 articles of the GDPR you receive:

Accountability Annotation: An annotation explaining the meaning and impact of the Article.

Technical and Organisational Measures: A list of technical and organisational measures that once implemented may help:

  1. Achieve ongoing compliance with the GDPR and,
  2. Produce documentation that will help demonstrate compliance.

In some cases, the measure may not be applicable.

Example Accountability Mechanisms: A sample listing of appropriate policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards and other mechanisms that mitigate internal and external privacy risk. Accountability Mechanisms are produced when organisations put in place technical and organisational measures.

Example Evidence: A listing of sample evidence indicating that the accountability mechanisms have been implemented and used appropriately.


Here is one example:

Accountability Annotation: 

Article 13 - Controllers obligations to provide notice to data subjects - Article 13 provides that where personal data relating to data subjects are collected, controllers must provide certain minimum information to those data subjects through an information notice. It also sets out requirements for timing of the notice and identifies when exemptions may apply. See Recitals 60-62.

Technical and Organisational Measures: 

Maintain a data privacy notice that details the organization’s personal data handling practices - This privacy management activity ensures that controllers put in place policies and procedures to ensure that the required information is provided to data subjects when their information is collected.

Maintain policies / procedures for secondary uses of personal data - 
This privacy management activity addresses having policies and procedures that define how to handle situations when the organisation wishes to use personal data beyond the primary purpose. Secondary uses of data must be disclosed in information notices under Article 13 and 14.

Provide data privacy notice at all points where personal data is collected - 
This privacy management activity addresses how an organisation provides an opportunity for data subjects to review the organisations privacy notice at the point of data collection.