The ICO’s Accountability Framework aims to provide organisations with some clear examples of actions that would indicate to the ICO that they were complying with the GDPR’s Accountability Principle. Following on from the first of our blogs on this topic, which looked at the first two sections of the Framework, this blog explores the next four sections: Training and Awareness; Individuals’ Rights; Transparency; and Records of Processing and Lawful Basis.
Section 3 – Training and Awareness
Conducting training and promoting awareness of data protection are important for ensuring that all the policies and procedures put in place to promote compliance are effective in practice. Furthermore, providing training is a great way of demonstrating compliance across all departments of your organisation. This section is split into five parts:
All-staff training programme
Induction and refresher training
Essentially, this section is about making sure everyone is aware of their role in protecting personal data and understands their responsibilities and how to carry them out. GDPR compliance cannot just be left to the specialists in an organisation and this section of the Framework makes that very clear.
Section 4 – Individuals’ Rights
Respecting individuals’ rights will help you to comply with the other six key principles of the GDPR. Upholding individuals’ rights will also benefit your organisation by enhancing your reputation within the market through improving your trustworthiness. Demonstrating how you protect people’s rights will increase their confidence in your organisation. Section 4 is split into eleven parts:
Informing individuals and identifying requests
Logging and tracking requests
Monitoring and evaluating performance
Inaccurate or incomplete information
Rights relating to automated decision making and profiling
Ultimately, the ICO requires organisations to make data subjects aware of their rights and have procedures in place to deal with each type of request so that they can be handled quickly and effectively on receipt.
Section 5 – Transparency
Transparency is a key GDPR principle and is also essential for achieving accountability. Being transparent about how you A series of actions or steps taken in order to achieve a particular end.... personal data enables you to show that your organisation protects individuals’ rights and, in turn, boosts your organisation’s reputation as being trustworthy and honest. This section is split into seven parts:
A clear, open and honest explanation of how an organisation processes personal data.... content
Timely privacy information
Effective privacy information
Automated decision-making and profiling
Privacy information review
Tools supporting transparency and control
To summarise, this section requires organisations to be open and honest about how and why they process personal data. In the most part, this can be achieved through a privacy notices that are clear, detailed and accessible.
Section 6 – Records of Processing and Lawful Basis
Keeping an accurate Record of Processing Activities (RoPA) is a legal requirement for most organisations under Article 30 GDPR. RoPAs give you a clear idea of what data you process where, and why. This not only helps you to comply with the GDPR’s documentation requirements, but also helps you to assess where improvements to IT governance are needed. A lawful basis for processing is also required for all processing of personal data under the GDPR, and documenting this ensures that you are not only complying, but also demonstrating compliance. Section 6 is split into ten parts:
Record of Processing Activity (RoPA)
Good practice for RoPAs
Documenting your lawful basis
Lawful basis transparency
Risk-based age checks and parental or guardian consent
Legitimate interest assessment (LIA)
Having a RoPA that is populated with all the correct information will go a long way to demonstrating accountability. Although they are time-consuming to put together, if kept up to date they will prove invaluable for completing DSARs, informing privacy notices, and identifying risks.
The four sections discussed in this second blog about the ICO Accountability Framework provide organisations with useful, practical advice on how to demonstrate their compliance with the Accountability Principle in a way that will meet the ICO’s expectations. The final four sections of the Framework will be investigated in a third blog to be published on the DPO Centre website.
Fill in your details below and we’ll get back to you as soon as possible