The ICO’s AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. Framework aims to provide organisations with some clear examples of actions that would indicate to the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. that they were complying with the GDPR’s Accountability Principle. Following on from the first of our blogs on this topic, which looked at the first two sections of the Framework, this blog explores the next four sections: Training and Awareness; Individuals’ Rights; Transparency; and Records of Processing and Lawful Basis.
Section 3 – Training and Awareness
Conducting training and promoting awareness of data protection are important for ensuring that all the policies and procedures put in place to promote compliance are effective in practice. Furthermore, providing training is a great way of demonstrating compliance across all departments of your organisation. This section is split into five parts:
All-staff training programme
- All staff receive a minimum level of data protection training
- Responsibility for staff training is assigned to a specific person(s) who has a plan in place to meet training needs
Induction and refresher training
- Data protection training is part of staff induction into any role
- Refresher training is completed at regular intervals
- Individuals’ access to personal dataInformation which relates to an identified or identifiable natural person. is restricted until they have undergone training
Specialised roles
- Staff with key data protection responsibilities receive extra training and CPD specific to their roles
Monitoring
- Understanding is assessed after training to ensure its effectiveness e.g. sitting a test with a minimum pass mark
- Training records are kept and reviewed
Awareness raising
- A range of methods are used to raise staff awareness of data protection such as emails, posters, team meetings, and blogs
- Staff know who to contact if they have any queries about data protection
Essentially, this section is about making sure everyone is aware of their role in protecting personal data and understands their responsibilities and how to carry them out. GDPR compliance cannot just be left to the specialists in an organisation and this section of the Framework makes that very clear.
Section 4 – Individuals’ Rights
Respecting individuals’ rights will help you to comply with the other six key principles of the GDPR. Upholding individuals’ rights will also benefit your organisation by enhancing your reputation within the market through improving your trustworthiness. Demonstrating how you protect people’s rights will increase their confidence in your organisation. Section 4 is split into eleven parts:
Informing individuals and identifying requests
- Policies and procedures are in place for dealing with data subjects’ requests
- Staff receive training on how to recognise requests and where to send them/how to deal with them
Resources
- Responsibility for handling requests is assigned to a specific person/team
- Sufficient resources are available to deal with requests in a timely manner
Logging and tracking requests
- Requests are recorded in a log that is updated at each stage of handling a request
Timely responses
- All requests are responded to within the statutory timescales
- Individuals are informed if an extension is required
- If refusing a request, the reasons for doing so are recorded
Monitoring and evaluating performance
- The staff dealing with requests meet regularly to discuss any issues
- Reports are produced to monitor how requests are dealt with
Inaccurate or incomplete information
- Proportionate and reasonable steps are taken to check the accuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading. of the personal data held and, where necessary, it is rectified
- Third parties with whom the personal data has been shared are informed of rectifications
- Upon request, individuals are informed about which third parties have received their personal data
Erasure
- Personal data is erased from back-up systems as well as live systems
- Third parties with whom personal data has been shared are informed about any erasure
Restriction
- Appropriate procedures are in place to restrict the processing of personal data if required
Data portability
- Personal data is provided in a structured, commonly used, and machine-readable format
- Information can, where possible, be directly transmitted to another organisation
Rights relating to automated decision making and profiling
- Only the minimum data required is collected and there is a clear retentionIn data protection terms, a defined period of time for which information assets are to be kept. policy in place for the profiles created
- Additional checks are completed for automated decision making and profiling performed on vulnerable groups
- If using solely automated decisions that have significant effects on individuals, processing complies with Article 22 GDPR and a DPIA is performed
Individual complaints
- Complaints procedures are in place
- Privacy notices inform individuals of their right to lodge a complaint
- The DPO’s contact details are clearly published
Ultimately, the ICO requires organisations to make data subjects aware of their rights and have procedures in place to deal with each type of request so that they can be handled quickly and effectively on receipt.
Section 5 – Transparency
Transparency is a key GDPR principle and is also essential for achieving accountability. Being transparent about how you processA series of actions or steps taken in order to achieve a particular end. personal data enables you to show that your organisation protects individuals’ rights and, in turn, boosts your organisation’s reputation as being trustworthy and honest. This section is split into seven parts:
Privacy noticeA clear, open and honest explanation of how an organisation processes personal data. content
- Privacy notices contain all the information required by Articles 13 and 14 GDPR
Timely privacy information
- Privacy notices are given to individuals at the time their personal data is collected (e.g. on filling in a form) or by observation (e.g. signage for CCTV)
- If data is provided by a source other than the individual, privacy notices are provided within a reasonable period and within one month
Effective privacy information
- Individuals are proactively made aware of privacy information
- Privacy information is in clear, plain, and age-appropriate language and is offered in accessible formats
Automated decision-making and profiling
- There is transparency around the purposes of the processing
- Individuals are made aware of their rights
Staff awareness
- Staff are trained about privacy information
Privacy information review
- Privacy information is kept up to date with the Record of Processing Activities (RoPA)
- A record of historical privacy notices with dates of amendments is maintained
Tools supporting transparency and control
- Strong privacy defaults and user-friendly controls are used
- Tools, such as secure self-service portals, are used to enable individuals to manage how their personal data is used
To summarise, this section requires organisations to be open and honest about how and why they process personal data. In the most part, this can be achieved through a privacy notices that are clear, detailed and accessible.
Section 6 – Records of Processing and Lawful Basis
Keeping an accurate Record of Processing Activities (RoPA) is a legal requirement for most organisations under Article 30 GDPR. RoPAs give you a clear idea of what data you process where, and why. This not only helps you to comply with the GDPR’s documentation requirements, but also helps you to assess where improvements to IT governance are needed. A lawful basis for processing is also required for all processing of personal data under the GDPR, and documenting this ensures that you are not only complying, but also demonstrating compliance. Section 6 is split into ten parts:
Data mapping
- Data mapping is used to understand data flows
- Staff throughout the organisation are consulted using questionnaires, surveys or face-to-face questioning to populate and update the data map
Record of Processing Activity (RoPA)
- Information is recorded electronically and easily amendable
- The RoPA is regularly reviewed and updated by a designated individual/team
RoPA requirements
- The RoPA contains all the information required by Article 30 GDPR
- A record of all processing activities carried out by processors is kept
Good practice for RoPAs
- The RoPA includes, or has links to, documentation regarding privacy notices, consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., DPIAs, data breaches, data sharing agreements, retention policies etc.
Documenting your lawful basis
- The most appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. for each processing activity is chosen and justification is documented prior to beginning processing
- An appropriate condition is documented when processing special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... or criminal offence data
Lawful basis transparency
- The lawful basis being relied upon is made clear to individuals
- Any change to the lawful basis is communicated to data subjects in a timely manner
Consent requirements
- Consent requests are separate from other terms and conditions, require a positive opt-in, are clear and unambiguous, and individuals can opt outA positive action to choose not to be part of an activity or to stop being involved in it. easily
- Records of consent are easily amendable
Reviewing consent
- Procedures are in place to review and refresh consent routinely
Risk-based age checks and parental or guardian consent
- Reasonable efforts are made to check the age of individuals giving consent, and their ability to give consent themselves
- Where required, there is a mechanism for gaining parental or guardian consent that this recorded and reviewed regularly
Legitimate interest assessment (LIA)
- Where relying on legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. as the lawful basis for processing, an LIA is carried out before the processing begins
- LIAs are clearly documented and reviewed regularly
Having a RoPA that is populated with all the correct information will go a long way to demonstrating accountability. Although they are time-consuming to put together, if kept up to date they will prove invaluable for completing DSARs, informing privacy notices, and identifying risks.
Conclusion
The four sections discussed in this second blog about the ICO Accountability Framework provide organisations with useful, practical advice on how to demonstrate their compliance with the Accountability Principle in a way that will meet the ICO’s expectations. The final four sections of the Framework will be investigated in a third blog to be published on the DPO Centre website.
Fill in your details below and we’ll get back to you as soon as possible
Alternatively, click one of the options below to speak to us
Email Call