Last month, the Information Commissioner’s Office (ICO) published its Accountability Framework with a view to helping organisations better understand how to comply with the GDPR’s Accountability Principle set out in Article 5(2). This article states:
The controller shall be responsible for, and be able to demonstrate compliance with the other six key A series of principles which embody the requirements of the data protection regulation.....
This means that organisations must be proactive in taking steps to comply with the GDPR and, furthermore, evidence these steps. However, the GDPR does not provide an exhaustive, prescriptive list of what organisations should do in order to fulfil this obligation – Article 24(1) merely highlights that measures should be “risk-based and proportionate”. This has led to some confusion which the Accountability Framework attempts to alleviate.
The Framework provides some advice and clear examples of actions which, if carried out, would help to indicate to the ICO that an organisation was complying with the Accountability principle. To be clear, this is not a tick-box exercise. The examples given are not exhaustive, nor do organisations have to fulfil them all to be compliant; what will be determined as sufficient for each organisation will depend on many factors, such as the size of the organisation, the amount and type of Information which relates to an identified or identifiable natural person.... processed, and the purposes of processing. However, Ian Hulme, the ICO’s Director of Regulatory Assurance, hopes that the Framework will “empower and enable you to embed accountability throughout your organisation” which will “enhance your reputation as a business that can be trusted with personal data”.
How can this framework be used?
As part of the Framework, the ICO has provided an accountability self-assessment tool and accountability tracker (xlsx). These tools will be very helpful in enabling your organisation to assess their current compliance level and check their existing practices against the expectations of the ICO. Furthermore, they can guide you as to what to do next and be used to track and report on your progress towards demonstrating compliance. Finally, the provision of user-friendly examples may help to increase engagement and awareness across your organisation.
The Framework is split into ten sections:
Over the course of three blog posts, we will explore each of these sections and pull out the key actions that may indicate to the ICO that you are meeting their expectations with regard to accountability and thus, may be actions that, if not already taken, you should consider taking. This blog tackles the first two sections: leadership and oversight, and policies and procedures.
Section 1 – Leadership and Oversight
The ICO describes leadership and oversight as a ‘fundamental building block’ of accountability. They have split their examples of how organisations can meet their expectations on this point into six sections. These sections, as well as the key points to come out of each, are outlined below:
Data Protection Officers (DPOs)
Operational group meetings
Overall, this section is about ensuring that each staff member’s responsibilities regarding data protection are clearly set out, understood, and executed. This requires there to be a coordinated structure in place to oversee that these steps are being fulfilled and, if they are not, to act accordingly.
Section 2 – Policies and Procedures
Any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.... requires organisations to put policies in place where it is proportionate to do so. Whether it is proportionate for your organisation to put various policies in place will depend on many factors. However, regardless of whether data protection laws require them of you, policies will help to provide clarity and consistency in approaches to data protection throughout your organisation. They are therefore key to ensuring that staff within your organisation know what they need to do and how. The ICO has split this section into four categories:
Direction and support
Review and approval
Data Protection by design and default
To sum up, policies and procedures should be clear and easy to follow; reviewed regularly by people with the appropriate expertise; and made available to everyone so that they can be applied in practice.
From the two sections above, it is clear that the ICO’s Accountability Framework provides many helpful, practical examples of how your organisation can demonstrate compliance with the principles of the GDPR. The following eight sections of the Framework will be examined in two further blogs. Read part 2 of the ICO accountability framework.
Fill in your details below and we’ll get back to you as soon as possible