GDPR Accountability Handbook

For each of the 99 articles of the GDPR


Accountability Annotation: An annotation explaining the meaning and impact of the Article.

Technical and Organisational Measures: A list of technical and organisational measures that once implemented may help:

  1. Achieve ongoing compliance with the GDPR and,
  2. Produce documentation that will help demonstrate compliance.

In some cases, the measure may not be applicable.

Example Accountability Mechanisms: A sample listing of appropriate policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards and other mechanisms that mitigate internal and external privacy risk. Accountability Mechanisms are produced when organisations put in place technical and organisational measures.

Example Evidence: A listing of sample evidence indicating that the accountability mechanisms have been implemented and used appropriately.


Here is one example:

Accountability Annotation: 

Article 13 - Controllers obligations to provide notice to data subjects - Article 13 provides that where personal data relating to data subjects are collected, controllers must provide certain minimum information to those data subjects through an information notice. It also sets out requirements for timing of the notice and identifies when exemptions may apply. See Recitals 60-62.

Technical and Organisational Measures: 

Maintain a data privacy notice that details the organization’s personal data handling practices - This privacy management activity ensures that controllers put in place policies and procedures to ensure that the required information is provided to data subjects when their information is collected.

Maintain policies / procedures for secondary uses of personal data - 
This privacy management activity addresses having policies and procedures that define how to handle situations when the organisation wishes to use personal data beyond the primary purpose. Secondary uses of data must be disclosed in information notices under Article 13 and 14.

Provide data privacy notice at all points where personal data is collected - 
This privacy management activity addresses how an organisation provides an opportunity for data subjects to review the organisations privacy notice at the point of data collection.

Example Accountability Mechanisms:

  • Data privacy notice
  • Just in Time Data Privacy Notice
  • Mobile Data Privacy Notice
  • Short Form/Condensed Data
  • Privacy Notice
  • Translated Data Privacy Notice
  • Privacy Notice Language for Hard Copy Forms
  • Privacy Notice Signage
  • Privacy Notice in Marketing
  • Communications
  • Privacy Notice in Contracts and Terms
  • Scripts for Providing Notice via Phone

Example Evidence: 

  • Copy of the information notice provided to data subjects
  • Documentation showing that privacy notice is aligned to legal requirements
  • Details on the placement and timing of the notice
  • Copies of contracts showing requirements for privacy notice language 
  • Records of training sessions with call center reps providing instruction on how to provide notice via phone