Accountability Framework: How to demonstrate compliance

Accountability framework

Accountability is one of the main data protection principles – in effect, it makes organisations not only responsible for complying with the GDPR, but also for to demonstrating their compliance.

This means organisations need to put in place appropriate technical and organisational measures to meet the requirements of accountability. These obligations are ongoing and must be reviewed and, where necessary, updated from time to time.

An accountability framework can help you embed accountability and create a culture of privacy across any organisation. Being accountable can help organisations to build trust with individuals and may help mitigate enforcement action.

The ICO’s Accountability Framework is designed to help organisations identify the right steps and actions to take improve their compliance, by managing their approach to privacy. It aims to create out a roadmap for organisations to follow, making it easier to see what needs to be done to improve.

People increasingly want to know how their data is being used and how it is being looked after. They want to know that their personal data is in safe hands, and that organisations have put in place mechanisms to protect their information. Successfully embedding accountability will enhance any organisation’s reputation as a business that can be trusted with personal data.

The ICO says its Accountability Framework sets out “questions to challenge your thinking, clear ways to evaluate your current compliance and help you put firm plans in place. It will enable you to not only rebuild data protection and information governance practices but equip you with tools and reports to help you improve them”.

The scope of the Accountability Framework
The ICO’s Accountability Framework supports the foundations of an effective privacy management programme. It is not sector specific and is divided into 10 categories:

  1. Leadership and Oversight
  2. Policies and Procedures
  3. Training and awareness
  4. Individuals’ rights
  5. Transparency
  6. Records of processing and lawful basis
  7. Contracts and data sharing
  8. Category 8: Risks and DPIAs
  9. Records management and security
  10. Breach response and monitoring

Each contains expectations and examples of how an organisation can demonstrate its accountability.

Leadership and oversight
A fundamental building block of accountability is strong leadership and oversight. This includes making sure that staff have clear responsibilities for data protection-related activities at a strategic and operational level.

Some organisations legally require a DPO; but all must allocate sufficient resources and make sure that data protection is a shared responsibility, rather than solely the task of someone working directly in a data protection role. You make senior management and the board accountable, and they must lead by example to promote the organised, proactive and positive approach to data protection that underpins everything else.

Policies and procedures
Policies and procedures provide clarity and consistency, by communicating what people need to do and why. Policies can also communicate goals, values and a positive tone. Data protection law specifically requires you to put in place data protection policies where proportionate. What you have policies for, and their level of detail varies, but effective data protection policies and procedures can help your organisation to take the practical steps to comply with your legal obligations.

Training and awareness
This makes sure that all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date. Training and awareness is key to actually putting into practice your policies, procedures and measures by:

  • integrating data protection across your entire organisation so it is second nature;
  • making sure you are compliant; and
  • being able to prove what you are doing.

Individuals’ rights
Data protection law aims to empower individuals and give them greater control over their personal data through several rights, which you need to facilitate effectively. Compliance with individual rights minimises the privacy risks to individuals as well as to organisations. It will help you to comply with other data protection requirements, such as the principles. Good data protection compliance enhances your reputation and gives you a competitive edge because it increases the trust and confidence that people have in how you handle personal data.

Transparency is a key data protection principle which is fundamental to a ‘data protection by design and by default’ approach. It facilitates the exercise of individuals’ rights and gives people greater control. This is particularly important if the processing is complex or if it relates to a child. Proactively respecting people’s privacy can give you a competitive advantage by increasing the confidence of the public, regulators and business partners. Being open and honest about what you do with personal data will support contracting and data sharing with third parties.

Records of process and lawful basis
It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle and we may require you to provide these records to us. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately.

Contracts and data sharing
It is good practice for you to have written data sharing agreements when controllers share personal data. This helps everyone to understand the purpose for the sharing, what will happen at each stage and what responsibilities they have. It also helps you to demonstrate compliance in a clear and formal way. Similarly, written contracts help controllers and processors to demonstrate compliance and understand their obligations, responsibilities and liabilities.

Risks and data protection impact assessments
The need to identify, assess and manage privacy risks is an integral part of accountability. Understanding the risks of the way you use personal data specifically is central to creating an appropriate and proportionate privacy management framework. A DPIA is a key risk management tool, and an important part of integrating ‘data protection by design and by default’ across your organisation. It helps you to identify, record and minimise the data protection risks of projects. DPIAs are mandatory in some cases and there are specific legal requirements for content and process. If you cannot mitigate a high risk, you must have a process for reporting this to the ICO.

Records management and security
Good records management supports good data governance and data protection. Wider benefits include supporting information access, making sure that you can find information about past activities, and enabling the more effective use of resources. Some of the consequences of poor records management include poor decisions, failure to handle information securely and inefficiencies. Information security also supports good data governance, and is itself a legal data protection requirement. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – it may even endanger lives in some extreme cases.

Breach response and monitoring
You need to be able to detect, investigate, risk-assess and record any breaches. You must report them as appropriate. Having effective processes in place helps you to do this. A personal data breach can have a range of adverse effects on individuals. There can be serious repercussions for organisations, their employees and customers, such as financial penalties (failure to notify a breach when required can result in a fine up to 10 million Euros or 2% of your global turnover), reputational damage, loss of business and disciplinary action.

The Accountability Framework is an opportunity to assess your organisation’s accountability. Depending on your circumstances, you may use it in different ways. For example, you may want to:

  • create a comprehensive privacy management programme;
  • check your existing practices against the ICO’s expectations;
  • consider whether you could improve existing practices, perhaps in specific areas;
  • understand ways to demonstrate compliance;
  • record, track and report on progress; or
  • increase senior management engagement and privacy awareness across your organisation

If you’d like to learn about the Accountability Framework in more detail, download our free flipbook.

Further reading:

Security compliance – a carrot or a stick?

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.