• Contact DPO Centre
  • 0203 797 1289
  • hello@dpocentre.com
DPO CentreDPO CentreDPO CentreDPO Centre
  • * Join Us *
  • Services
    • Outsourced Data Protection Officer
    • Article 27 EU and UK Representation
    • Consultancy
    • Interim Support Services
    • Return-to-Work Compliance Check
    • Training
    • Advice Line
    • The Data Security and Protection Toolkit (DSPT) Audit
    • Caldicott Guardian
    • Services for Schools
  • Sectors
    • Finance &
      Insurance
    • Medical &
      Healthcare
    • Software &
      Technology
    • Retail &
      eCommerce
    • Education
    • Charities &
      not-for profit
  • Case Studies
  • About Us
    • About Us
    • Our Team
    • Benefits of Outsourcing
    • *Join the Team*
    • Events
    • News
  • Blog
  • Resources
    • UK Data Protection Index
    • DSAR White Paper
    • COVID-19 Remote Working Tips
    • GDPR Basics
    • Why you need a Data Protection Officer
    • Why you need GDPR Representation
    • GDPR Policy Toolkit
    • The impact of Brexit on GDPR
    • Christmyths
    • The Full GDPR Text
  • Contact us
  • Home
  • Data Protection
  • ICO Accountability Framework: Part 1
Transfer
To transfer, or not to transfer, that is the question
October 19, 2020
Accountability guidance blog part 2
ICO Accountability Framework: Part 2
November 17, 2020

ICO Accountability Framework: Part 1

November 3, 2020
Categories
  • Data Protection
  • Data Protection Officer
  • GDPR
Tags
Accountability guidance blog

Last month, the Information Commissioner’s Office (ICO) published its Accountability Framework with a view to helping organisations better understand how to comply with the GDPR’s Accountability Principle set out in Article 5(2). This article states: 

The controller shall be responsible for, and be able to demonstrate compliance with the other six key data protection principlesA series of principles which embody the requirements of the data protection regulation.....

This means that organisations must be proactive in taking steps to comply with the GDPR and, furthermore, evidence these steps. However, the GDPR does not provide an exhaustive, prescriptive list of what organisations should do in order to fulfil this obligation – Article 24(1) merely highlights that measures should be “risk-based and proportionate”. This has led to some confusion which the Accountability Framework attempts to alleviate.   

The Framework provides some advice and clear examples of actions which, if carried out, would help to indicate to the ICO that an organisation was complying with the Accountability principle. To be clear, this is not a tick-box exercise. The examples given are not exhaustive, nor do organisations have to fulfil them all to be compliant; what will be determined as sufficient for each organisation will depend on many factors, such as the size of the organisation, the amount and type of personal dataInformation which relates to an identified or identifiable natural person.... processed, and the purposes of processing. However, Ian Hulme, the ICO’s Director of Regulatory Assurance, hopes that the Framework will “empower and enable you to embed accountability throughout your organisation” which will “enhance your reputation as a business that can be trusted with personal data”. 

 

How can this framework be used?  

As part of the Framework, the ICO has provided an accountability self-assessment tool and accountability tracker (xlsx). These tools will be very helpful in enabling your organisation to assess their current compliance level and check their existing practices against the expectations of the ICO. Furthermore, they can guide you as to what to do next and be used to track and report on your progress towards demonstrating compliance. Finally, the provision of user-friendly examples may help to increase engagement and awareness across your organisation. 

 

The Framework 

The Framework is split into ten sections: 

  1. Leadership and oversight  
  2. Policies and procedures 
  3. Training and awareness 
  4. Individuals’ rights 
  5. Transparency  
  6. Records of processing and lawful basis 
  7. Contracts and data sharing 
  8. Risks and data protection impact assessments (DPIAs) 
  9. Records management and security  
  10. Breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach.... and monitoring 

Over the course of three blog posts, we will explore each of these sections and pull out the key actions that may indicate to the ICO that you are meeting their expectations with regard to accountability and thus, may be actions that, if not already taken, you should consider taking. This blog tackles the first two sections: leadership and oversight, and policies and procedures. 

 

Section 1 – Leadership and Oversight 

The ICO describes leadership and oversight as a ‘fundamental building block’ of accountability. They have split their examples of how organisations can meet their expectations on this point into six sections. These sections, as well as the key points to come out of each, are outlined below:  

Organisational structure 

    • Ultimate responsibility for data protection and information governance sits with the highest level of management or the company board 
    • Policies set out the organisational structure for managing data protection, with clear reporting lines between staff of different levels 
    • Job descriptions clearly set out each staff member’s data protection responsibilities so that staff understand the organisation structure and their place within it 

 

Data Protection Officers (DPOs) 

    • Your appointed DPO has expert knowledge of data protection laws and practices 
    • Your DPO has the authority, support, and resources to do their job effectively 
    • If not required by the GDPR to appoint a DPO, this decision is recorded and responsibility for compliance is assigned elsewhere 

 

Appropriate reporting 

    • Your DPO reports to the highest level of management  
    • The advice of your DPO is followed and their expertise taken into account during decision making 
    • Staff know who the DPO is, and when and how to contact them 

 

Operational roles 

    • Data protection and information governance staff have clear responsibilities for ensuring compliance, and the authority, support, and resources to fulfil them 
    • A network of data protection leads help to implement and maintain compliance at a local level 

 

Oversight groups 

    • An oversight group made up of appropriately experienced people meet regularly to provide direction and guidance around compliance to the rest of the organisation  
    • They have clear aims and action plans that are monitored regularly  
    • They discuss a full range of data protection related topics, for example, KPIs, issues and risks 

 

Operational group meetings 

    • Operational level groups meet regularly to discuss and coordinate data protection and information governance activities 
    • They report any issues or risks that arise to the oversight group 

 

Overall, this section is about ensuring that each staff member’s responsibilities regarding data protection are clearly set out, understood, and executed. This requires there to be a coordinated structure in place to oversee that these steps are being fulfilled and, if they are not, to act accordingly. 

 

Section 2 – Policies and Procedures  

Data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.... requires organisations to put policies in place where it is proportionate to do so. Whether it is proportionate for your organisation to put various policies in place will depend on many factors. However, regardless of whether data protection laws require them of you, policies will help to provide clarity and consistency in approaches to data protection throughout your organisation. They are therefore key to ensuring that staff within your organisation know what they need to do and how. The ICO has split this section into four categories:  

 

Direction and support 

    • Policies and procedures provide staff with enough direction to understand their roles and responsibilities with regard to data protection 
    • Policies, procedures, and any other guidance materials are readily available to operational staff 

 

Review and approval 

    • All policies and procedures are reviewed and approved by a staff member of appropriate seniority 
    • Policies and procedures are reviewed regularly in line with recorded review dates, and updated when required 

 

Staff awareness 

    • Staff have read the policies and procedures and understand how to comply with them 
    • Staff are promptly made aware of any updates made to policies and procedures 

 

Data Protection by design and default 

    • Your policies, where relevant, are created with data protection in mind 
    • You have policies and procedures in place to ensure that data protection issues are considered when systems, services, products, and business practices involving personal data are designed and implemented 
    • Policies and procedures give extra protection to the personal data of vulnerable groups e.g. children 

 

To sum up, policies and procedures should be clear and easy to follow; reviewed regularly by people with the appropriate expertise; and made available to everyone so that they can be applied in practice.  

 

Conclusion

From the two sections above, it is clear that the ICO’s Accountability Framework provides many helpful, practical examples of how your organisation can demonstrate compliance with the principles of the GDPR. The following eight sections of the Framework will be examined in two further blogs. Read part 2 of the ICO accountability framework. 

Enquire

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call

Share

Related posts

EUDP Guidance Controller Processor Blog
January 11, 2021

Updated EDPB Guidance on Controllers and Processors – Part 1


Read more
December 28, 2020

The DPO Centre’s Research Results – 7 steps for handling customer data


Read more
Accountability guidance blog part 3
December 11, 2020

ICO Accountability Framework: Part 3


Read more

Contact us

The DPO Centre Ltd
Head Office: 50 Liverpool Street, London, EC2M 7PR
The DPO Centre (Europe): Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ
Telephone: +44 (0) 203 797 1289
Company Number: 10874595 VAT: GB 275694357

More information

  • Contact us
  • Sitemap
  • Privacy Policy
  • Cookie Notice

 

© 2021 DPO Centre. All Rights Reserved.