Chapters 2, 5 and 9 #GDPR contain the rules for processing personal data. However, 100% compliance with these rules is impossible in practice. #eudatap #privacy

So, during the #GDPR negotiations, the EU Council of Ministers pushed hard on the accountability principle enshired in Chapter 4. They called it "the risk-based approach". #eudatap #privacy

The risk-based approach means controllers (and to some extent also processors) must do their homework to limit risk and be compliant. #eudatap #privacy

'Homework' means a.o. carrying out a DPIA if risks are high (art.35 #GDPR), taking appropriate security measures taking into account costs and state of art (art.32) and appointing a DPO (art.37). #eudatap #privacy

However, there are limits to how much homework is required. DPIA's are only required when the risk is likely high. Most organization are not required to have a DPO, etc. #eudatap #privacy #GDPR

The only non risk-based article in Chapter 4 #GDPR is art. 30 (data registry), although a not very useful exception for SME's is included in there. #eudatap #privacy

So, #GDPR accountability means: doing your homework where appropriate and the best you can. But there is no obligation to stive to eleminate all risk and be 100% compliant with the material rules. #eudatap #privacy

Or as a high civil servant of the European Commission once put it: "the measures don't need to be perfect, only good enough".
#eudatap #privacy #GDPR

A good example of homework not required is a recent case in a Dutch court. A process server inquiring for information acts as a civil servant and is subject to disciplinary rules. The employer probably afraid of a data breach refused to disclose the personal data. #GDPR #privacy

The Court said that given the legal status of the process server, there was no #GDPR duty for the employer to verify the existence of the court order and he was required to disclose the data under procedural law. #eudatap #privacy

So basically the Court rightfully implied that any #GDPR liability aring from an unauthorized disclosure would in such case be the problem of the process server, not the disclosing employer. Same for fines. #eudatap #privacy

In contrast, another Dutch court recently prohibited an employer from implementing biometrics. The Court concluded that the employer had failed to do his #GDPR homework (necessity assessment, DPIA), so given art.9, the biometrics were disproportionate. #eudatap #privacy

The risk-based approach in Chapter 4 #GDPR means that a controller/processor cannot be fined nor held liable if he has done his homework and the extent if such homework was appropriate given the circumstamces. #eudatap #privacy

Not doing the #GDPR homework or doing it only half-baked given the circumstances may result in fines, liability and sometimes being barred from processing personal data. #eudatap #privacy

All you need to do is to find the level of appropriateness of the measures you implement or carry out to comply with the #GDPR in light of the risks involved, the costs and the state of art, best practices and the law (non-GDPR). There is no need to eliminate all risk. #privacy