In the third and final blog post on this topic, we consider the last four sections of the ICO’s Perhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. Framework: Contracts and Data Sharing; Risks and Data Protection Impact Assessments (DPIAs); Records Management and Security; and An organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. and Monitoring. For each section, we highlight some key actions that the The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. have indicated would demonstrate that an organisation is complying with the GDPR’s Accountability Principle.
Section 7 – Contracts and Data Sharing
Having clear, legally binding agreements in place with data processing stakeholders is essential for demonstrating accountability. By formally recognising the relationships between organisations, contracts provide certainty in terms of what data subjects can expect of controllers and processors that handle their data. Within this section there are nine sub-sections:
Data sharing policies and procedures
Data sharing agreements
Controller-processor contract requirements
Processor due diligence checks
Processor compliance reviews
Third-party products and services
The second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.
In summary, all data sharing between organisations should be accompanied by a contract or agreement that enables all parties to be held to account.
Section 8 – Risks and Data Protection Impact Assessments (DPIAs)
Understanding the risks associated with how your organisation processes personal data is the first step towards implementing an effective data protection framework. Using DPIAs, you can identify the key areas that pose risks and then plan accordingly in order to mitigate them. This section is split into five parts:
Identifying, recording and managing risks
Data protection by design and default approach to managing risks
DPIA policy and procedures
DPIA risk mitigation and review
In summary, organisations must have a procedure in place to enable risks to be identified, documented, mitigated, and then reviewed.
Section 9 – Records Management and Security
Records management and data security are at the heart of the GDPR because they enable good data governance which is essential for effective data protection. This section has twelve sub-sections:
Creating, locating and retrieving records
Security for transfers
A catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type.
Information asset register
Rules for acceptable software use
Mobile devices, home or remote working and removable media
Business continuity, disaster recovery and back-ups
Taken together, these facets of records management and data security enable organisations to know where they store data and ensure, so far as possible, that only those required to have access do so.
Section 10 – Breach Response and Monitoring
Having clear procedures in place to monitor and deal with data breaches ensures that your organisation can not only prevent breaches, but also limit their impact if they do occur. Responding quickly and effectively to breaches is therefore essential. This final section consists of eight parts:
Detecting, managing and recording incidents and breaches
Assessing and reporting breaches
Reviewing and monitoring
External audit or compliance check
Internal audit programme
Performance and compliance information
Use of management information
Ultimately, monitoring of processes is key to firstly identifying vulnerable areas where a breach could occur and, secondly, mitigating the risk to individuals when a breach does occur. Monitoring should be both internal and external in order to fully gauge where vulnerabilities are located and to plan accordingly.
Collectively, the ten sections of the Accountability Framework should provide organisations with a clear road map to demonstrating compliance with the GDPR as a whole, as well as specifically the Accountability principle. Although it must be reiterated that the entire contents of this list is neither exhaustive nor essential, the Framework, along with its accompanying self- assessment tool and accountability tracker, is likely to be invaluable for many organisations.
Fill in your details below and we’ll get back to you as soon as possible