ICO Accountability Framework: Part 1

Last month, the Information Commissioner’s Office (ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) published its AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. Framework with a view to helping organisations better understand how to comply with the GDPR’s Accountability Principle set out in Article 5(2). This article states: 

The controller shall be responsible for, and be able to demonstrate compliance with the other six key data protection principlesA series of principles which embody the requirements of the data protection regulation..

This means that organisations must be proactive in taking steps to comply with the GDPR and, furthermore, evidence these steps. However, the GDPR does not provide an exhaustive, prescriptive list of what organisations should do in order to fulfil this obligation – Article 24(1) merely highlights that measures should be “risk-based and proportionate”. This has led to some confusion which the Accountability Framework attempts to alleviate.   

The Framework provides some advice and clear examples of actions which, if carried out, would help to indicate to the ICO that an organisation was complying with the Accountability principle. To be clear, this is not a tick-box exercise. The examples given are not exhaustive, nor do organisations have to fulfil them all to be compliant; what will be determined as sufficient for each organisation will depend on many factors, such as the size of the organisation, the amount and type of personal dataInformation which relates to an identified or identifiable natural person. processed, and the purposes of processing. However, Ian Hulme, the ICO’s Director of Regulatory Assurance, hopes that the Framework will “empower and enable you to embed accountability throughout your organisation” which will “enhance your reputation as a business that can be trusted with personal data”. 

How can this framework be used?  

As part of the Framework, the ICO has provided an accountability self-assessment tool and accountability tracker (xlsx). These tools will be very helpful in enabling your organisation to assess their current compliance level and check their existing practices against the expectations of the ICO. Furthermore, they can guide you as to what to do next and be used to track and report on your progress towards demonstrating compliance. Finally, the provision of user-friendly examples may help to increase engagement and awareness across your organisation. 

The Framework 

The Framework is split into ten sections: 

1. Leadership and oversight  
2. Policies and procedures 
3. Training and awareness 
4. Individuals’ rights 
5. Transparency  
6. Records of processing and lawful basis 
7. Contracts and data sharing 
8. Risks and data protection impact assessments (DPIAs) 
9. Records management and security  
10. Breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. and monitoring 

Over the course of three blog posts, we will explore each of these sections and pull out the key actions that may indicate to the ICO that you are meeting their expectations with regard to accountability and thus, may be actions that, if not already taken, you should consider taking. This blog tackles the first two sections: leadership and oversight, and policies and procedures. 

Section 1 – Leadership and Oversight 

The ICO describes leadership and oversight as a ‘fundamental building block’ of accountability. They have split their examples of how organisations can meet their expectations on this point into six sections. These sections, as well as the key points to come out of each, are outlined below:  

Organisational structure 

• • Ultimate responsibility for data protection and information governance sits with the highest level of management or the company board 
  • Policies set out the organisational structure for managing data protection, with clear reporting lines between staff of different levels 
  • Job descriptions clearly set out each staff member’s data protection responsibilities so that staff understand the organisation structure and their place within it 

Data Protection Officers (DPOs) 

• • Your appointed DPO has expert knowledge of data protection laws and practices 
  • Your DPO has the authority, support, and resources to do their job effectively 
  • If not required by the GDPR to appoint a DPO, this decision is recorded and responsibility for compliance is assigned elsewhere 

Appropriate reporting 

• • Your DPO reports to the highest level of management  
  • The advice of your DPO is followed and their expertise taken into account during decision making 
  • Staff know who the DPO is, and when and how to contact them 

Operational roles 

• • Data protection and information governance staff have clear responsibilities for ensuring compliance, and the authority, support, and resources to fulfil them 
  • A network of data protection leads help to implement and maintain compliance at a local level 

Oversight groups 

• • An oversight group made up of appropriately experienced people meet regularly to provide direction and guidance around compliance to the rest of the organisation  
  • They have clear aims and action plans that are monitored regularly  
  • They discuss a full range of data protection related topics, for example, KPIs, issues and risks 

Operational group meetings 

• • Operational level groups meet regularly to discuss and coordinate data protection and information governance activities 
  • They report any issues or risks that arise to the oversight group 

Overall, this section is about ensuring that each staff member’s responsibilities regarding data protection are clearly set out, understood, and executed. This requires there to be a coordinated structure in place to oversee that these steps are being fulfilled and, if they are not, to act accordingly. 

Section 2 – Policies and Procedures  

Data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data. requires organisations to put policies in place where it is proportionate to do so. Whether it is proportionate for your organisation to put various policies in place will depend on many factors. However, regardless of whether data protection laws require them of you, policies will help to provide clarity and consistency in approaches to data protection throughout your organisation. They are therefore key to ensuring that staff within your organisation know what they need to do and how. The ICO has split this section into four categories:  

Direction and support 

• • Policies and procedures provide staff with enough direction to understand their roles and responsibilities with regard to data protection 
  • Policies, procedures, and any other guidance materials are readily available to operational staff 

Review and approval 

• • All policies and procedures are reviewed and approved by a staff member of appropriate seniority 
  • Policies and procedures are reviewed regularly in line with recorded review dates, and updated when required 

Staff awareness 

• • Staff have read the policies and procedures and understand how to comply with them 
  • Staff are promptly made aware of any updates made to policies and procedures 

Data Protection by design and default 

• • Your policies, where relevant, are created with data protection in mind 
  • You have policies and procedures in place to ensure that data protection issues are considered when systems, services, products, and business practices involving personal data are designed and implemented 
  • Policies and procedures give extra protection to the personal data of vulnerable groups e.g. children 

To sum up, policies and procedures should be clear and easy to follow; reviewed regularly by people with the appropriate expertise; and made available to everyone so that they can be applied in practice.  

Conclusion

From the two sections above, it is clear that the ICO’s Accountability Framework provides many helpful, practical examples of how your organisation can demonstrate compliance with the principles of the GDPR. The following eight sections of the Framework will be examined in two further blogs. Read part 2 of the ICO accountability framework.