Privacy & Information Security Law Blog

On September 9, 2020, the UK Information Commissioner’s Office (“ICO”) published an Accountability Framework, designed to assist organizations in complying with their accountability obligations under the EU General Data Protection Regulation (“GDPR”). The GDPR’s accountability principle requires that organizations both comply with their legal requirements under the GDPR, and also demonstrate their compliance. The ICO states that its Accountability Framework “supports the foundations of an effective privacy management programme.”

The ICO notes that its Accountability Framework is still in its “beta phase,” and that it will be improved over time following consultation with stakeholders. The structure of the Framework is based on 10 core aspects of the GDPR, namely: (1) leadership and oversight; (2) training and awareness; (3) transparency; (4) contracts and data sharing; (5) records management and security; (6) policies and procedures; (7) individuals’ rights; (8) records of processing and lawful basis; (9) risks and data protection impact assessments; and (10) breach response and monitoring. For each of the 10 core areas, the Framework identifies practical ways in which organizations can meet their compliance obligations.

The ICO also provides an accountability self-assessment tool as part of the Framework, which provides feedback on where organizations are or are not meeting expectations. This tool requires organizations to estimate their level of compliance across the 10 areas listed above, and then generates a report to assist organizations in determining key areas of focus. The ICO explains that this report can be used as a tool to communicate current levels of compliance and areas for improvement to senior managers within the organization. In addition, organizations can use the ICO’s accountability tracker to measure how their accountability compliance progresses over time.

According to the ICO, the Accountability Framework will be of particular use to those responsible for implementing data privacy management programs, such as senior management, data protection officers and those responsible for records management and information security. The structure of the Framework is broad and flexible so that organizations may exercise judgment as to which of the articulated expectations are most relevant to their business. The ICO notes that the methods identified in the Framework for meeting its expectations of accountability are not exhaustive, and that organizations may meet these expectations in “slightly different or unique ways.”

Ian Hulme, the ICO’s Director of Regulatory Assurance, stated: “Data protection compliance is not one size fits all. Our framework has been designed to support organisations to identify the right steps and actions to improve their compliance. It should empower and enable you to embed accountability throughout your organisation. Successfully embedding accountability will enhance your reputation as a business that can be trusted with personal data. The public are increasingly demanding to be shown how their data is being used and how it is being looked after. They want to know that their personal data is in safe hands, and that you have put in place mechanisms to protect their information.”

Feedback may be submitted on the Framework before November 2, 2020. Organizations are also able to register to take part in future consultation.