ICO Accountability Framework: Part 3

In the third and final blog post on this topic, we consider the last four sections of the ICO’s AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. Framework: Contracts and Data Sharing; Risks and Data Protection Impact Assessments (DPIAs); Records Management and Security; and Breach ResponseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. and Monitoring. For each section, we highlight some key actions that the ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). have indicated would demonstrate that an organisation is complying with the GDPR’s Accountability Principle.

Section 7 – Contracts and Data Sharing

Having clear, legally binding agreements in place with data processing stakeholders is essential for demonstrating accountability. By formally recognising the relationships between organisations, contracts provide certainty in terms of what data subjects can expect of controllers and processors that handle their data. Within this section there are nine sub-sections:

Data sharing policies and procedures

• There is a processA series of actions or steps taken in order to achieve a particular end. in place to assess the legality, benefits and risks of data sharing
• Clear policies and procedures underscore all data sharing
• All data sharing decisions are documented and reviewed

Data sharing agreements

• Relevant data sharing agreements are in place, signed off by senior management
• Agreements are reviewed and updated regularly

Restricted transfers

• Assessments are made as to whether a restricted transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. is covered by an adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has..., appropriate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., or exemptions set out in Article 49 GDPR

Processors

• Written contracts with all processors are in place and reviewed regularly
• A log is kept of all processor contracts
• Where sub-processors are used, this is in writing

Controller-processor contract requirements

• Agreements include all the elements required in Article 28 GDPR
• Contracts detail the organisational and security measures that will be in place
• Contracts detail how data will be deleted or returned by the processor at the end of the contract

Processor due diligence checks

• The procurement process includes due diligence checks that are proportionate to the risks of processing before contracts are agreed

Processor compliance reviews

• Contracts include clauses allowing controllers to conduct audits or checks on processors’ compliance

Third-party products and services

• Any third parties chosen to process personal dataInformation which relates to an identified or identifiable natural person. design their products or services with data protection in mind

Purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.

• Only the personal data that is necessary to achieve a specific purpose is shared
• Information is anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR., pseudonymised or minimised wherever possible

In summary, all data sharing between organisations should be accompanied by a contract or agreement that enables all parties to be held to account.

Section 8 – Risks and Data Protection Impact Assessments (DPIAs)

Understanding the risks associated with how your organisation processes personal data is the first step towards implementing an effective data protection framework. Using DPIAs, you can identify the key areas that pose risks and then plan accordingly in order to mitigate them. This section is split into five parts:

Identifying, recording and managing risks

• An information risk policy outlines how risks are managed
• Risks are identified and managed using a risk register
• Formal procedures are in place to identify, record and manage risks associated with information assets in an information asset registerA record of information assets (including personal data and special category data), detailing their specific attributes (such as their owner, retention period, storage location, disposal instructions etc.)

Data protection by design and default approach to managing risks

• Where required, Data Protection Impact Assessments (DPIAs) are conducted at the beginning of projects, running alongside the planning and development process
• Risks, and possible mitigations, are anticipated early and considered from the initial design phase of any system and throughout its lifecycle

DPIA policy and procedures

• A DPIA policy is implemented which includes criteria for deciding when to conduct a DPIA, what a DPIA should cover, and who is responsible for them
• If a DPIA is deemed unnecessary, this is documented
• Relevant stakeholders are consulted during the DPIA procedureAn approved and established way of completing a certain task.
• Staff are trained on when to conduct a DPIA

DPIA content

• There is a standard template which includes all the sections required of a DPIA: nature, scope, context and purposes of processing; necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method., proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate. and compliance measures; and identification, assessment, and mitigation of risks
• The relationships and data flows between controllers, processors, data subjects and systems are clearly set out

DPIA risk mitigation and review

• Outcomes of DPIAs are integrated into work plans, project action plans, and risk registers
• High risk processing does not begin until mitigations are in place
• There is a procedure to consult the ICO if any high risks cannot be mitigated

In summary, organisations must have a procedure in place to enable risks to be identified, documented, mitigated, and then reviewed.

Section 9 – Records Management and Security

Records management and data security are at the heart of the GDPR because they enable good data governance which is essential for effective data protection. This section has twelve sub-sections:

Creating, locating and retrieving records

• An information asset register logs all record-keeping systems and their whereabouts
• Records are classified and indexed to enable easy management, retrieval, and disposal

Security for transfers

• For data transfers off-site, appropriate security measures are taken (e.g. encryption, secure courier, VPN) which are outlined in a transfer policy/guidance
• Agreements are in place with any third parties used to transfer data

Data quality

• Procedures ensure the personal data kept is accurate, adequate, and not excessive
• Data quality assessments occur periodically

Retention scheduleA catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type.

• A retentionIn data protection terms, a defined period of time for which information assets are to be kept. schedule outlines the retention periods for different types of personal data with reference to any statutory requirements
• Retention periods are regularly reviewed and opportunities for data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing., pseudonymisation and anonymisation are identified

Destruction

• Paper documents are cross shredded or incinerated
• Data held on electronic devices are securely wiped or degaussed, or the hardware is securely destroyed
• All equipment and confidential information sent for disposal is logged

Information asset register

• An information asset register is kept updated and contains the details of all assets including the asset owner, location, retention periods, and security measures

Rules for acceptable software use

• Acceptable Use or terms and conditions of use policies are in place and compliance is monitored transparently
• System operating procedures record the security measures in place to protect data within systems

Access control

• Access to personal data is limited to only authorised staff who require access to fulfil their job role
• Users’ access rights are logged and reviewed regularly
• Formal user access provisioning procedures are in place to grant access to permanent and temporary staff

Unauthorised access

• Access is restricted to the absolute minimum according to the principle of least privilege
• Minimum password complexity rules are applied, and password management controls are in place
• Emails are encrypted
• Anti-malware and anti-virus protection is regularly updated
• Vulnerability scans are run regularly and findings mitigated
• External and internal firewalls, and intrusion detection systems are in place

Mobile devices, home or remote working and removable media

• Mobile devices and home/remote working policies outline how security risks are mitigated
• Encryption and remote wiping capabilities prevent unauthorised access
• Security measures, such as VPN and 2-factor authentication, maintain security of information
• A log is kept of all removable media and mobile devices

Secure areas

• Areas containing personal data have entry controls and entry is monitored
• Visitor protocols are in place
• Clear desk and clear screen policies are enforced

Business continuity, disaster recovery and back-ups

• Back-ups are stored off-site
• Back-up and recovery processes are tested regularly
• A risk-based continuity plan and disaster recovery plan are in place

Taken together, these facets of records management and data security enable organisations to know where they store data and ensure, so far as possible, that only those required to have access do so.

Section 10 – Breach Response and Monitoring

Having clear procedures in place to monitor and deal with data breaches ensures that your organisation can not only prevent breaches, but also limit their impact if they do occur. Responding quickly and effectively to breaches is therefore essential. This final section consists of eight parts:

Detecting, managing and recording incidents and breaches

• Staff are trained to recognise and report security incidents
• Procedures and systems facilitate breach reporting
• All security incidents and breaches are logged, even if they are not reportable to the ICO

Assessing and reporting breaches

• Procedures are in place to assess breach severity
• There is a clear procedure for ICO notification

Notifying individuals

• Where appropriate, a procedure states how data subjects will be notified
• Notification is made in clear language and advice given on how to mitigate their risk

Reviewing and monitoring

• All breaches are logged and analysed
• Trend analysis is performed to understand key themes and issues

External audit or compliance check

• An external audit company is employed to provide independent assurances on the standard of data protection and information security compliance
• Audit reports document findings and action plans are created based on the findings

Internal audit programme

• Data protection compliance is tested regularly internally
• Informal, ad-hoc monitoring and spot checks are performed regularly
• Audit reports document findings and action plans are created based on the findings

Performance and compliance information

• KPIs relating to data protection compliance and information governance are in place and regularly assessed e.g. SAR performance, staff training completed, and records management

Use of management information

• Key data from KPI monitoring is provided to the relevant stakeholders who review outcomes and plan accordingly

Ultimately, monitoring of processes is key to firstly identifying vulnerable areas where a breach could occur and, secondly, mitigating the risk to individuals when a breach does occur. Monitoring should be both internal and external in order to fully gauge where vulnerabilities are located and to plan accordingly.

Conclusion

Collectively, the ten sections of the Accountability Framework should provide organisations with a clear road map to demonstrating compliance with the GDPR as a whole, as well as specifically the Accountability principle. Although it must be reiterated that the entire contents of this list is neither exhaustive nor essential, the Framework, along with its accompanying self- assessment tool and accountability tracker, is likely to be invaluable for many organisations.