The UK’s Information Commissioner’s Office (ICO) published its ‘Accountability Framework’ on 10th September 2020. It is made to assist organisations to comply with the accountability principle under the GDPR and to meet the expectations set by the ICO.
Who is the Framework for?
The Accountability Framework (the ‘Framework’) applies to all firms processing personal data and allows firms to put in appropriate measures in place to ensure that their organisation complies with the data protection principles. Within such firms, this could be anyone within senior management, those who have information security/records management responsibilities or the firm’s Data Protection Officer.
The measures that are implemented must be risk-based, appropriate and proportionate to the type of your organisation and types of data processing.
Scope of the Framework
The Framework provides support for the foundations of sufficient privacy management programme and it is important to note that this is not sector-specific, as the ICO wants this Framework to be relevant to as broad an audience as possible.
However, the Framework is not exhaustive and does not replace the need for firms to comply with all relevant aspects of data protection, being able to exercise their judgement and using other relevant guidance and materials.
Contents of the Framework
The Framework is divided into ten categories and each category displays the ICO’s key expectations and how firms can meet these expectations. For example, a few of the categories include: ‘Policies and Procedures’ and ‘Leadership and Oversight’. It is based on the ICO’s experiences when working with organisations and is not an exhaustive list.
To expand on the contents of the Framework, we have provided a summary of two chapters:
- Contracts and Data Sharing: this chapter explains that it is good practice for firms to have written data sharing agreements when personal data is shared. It is to help everyone understand the purpose of the sharing, what may happen at each stage of the sharing and the responsibilities they have. Furthermore, this chapter lists what the ICO expects from firms, for example, when implementing certain data sharing policies and procedures and when an organisation considers using third-party products and services (for data processing activities).
- Breach Response and Monitoring: firms need to be able to detect, investigate, make risk assessments and record any breaches that take place. This chapter outlines which effective processes should be in place to help breach responses and monitor them effectively. For example, the ICO highlights that they expect firms to have a response plan addressing any security incidents and if a firm possesses an internal audit programme, that it should include data protection and related information governance.
How can firms use this Framework?
The Framework provides an opportunity for firms to assess their organisation’s accountability in the field of data protection. It may be used in various ways, such as:
1. Support of assessment of whether you need to improve existing practices or specific areas;
2. The basis for creation of a thorough privacy management programme; or
3. Support for increasing privacy awareness internally.
Documenting the procedures of how the ICO’s expectations are being met is essential, however, firms must remember that accountability is also about what they are actually doing in practice and therefore review the effectiveness of the measures being implemented.
